Tag privacy protecting method, tag device, backened device, updating device, update requesting device, programs for these devics, and recording medium storing these programs

ABSTRACT

According to a first invention, in response to an access from a reader, a tag device causes its second calculator to read a confidential value from a confidential value memory and to apply a second function F 2  which disturbs a relationship between elements of a definition domain and a mapping thereof to generate tag output information. The tag output information is fed to an output section, which then delivers it to a backend apparatus. Subsequently, a first calculator reads out at least part of elements of the confidential value from the confidential value memory, and applies a first function F 1 , an inverse image of which is difficult to obtain, and a result of such calculation is used to update a confidential value in the confidential value memory by overwriting. According to a second invention, an updater which is provided externally of a tag device updates privileged ID information stored in a tag device into new privileged ID information, the association of which with the privileged ID information is difficult to follow, at a given opportunity.

TECHNICAL FIELD

The present invention relates to a tag technology incorporatinginformation security technology, in particular, to a method ofprotecting tag privacy against acquisition of a user privacy informationfrom information delivered from a tag device, a tag device, a backendapparatus, an updater, an update solicitor, programs therefor and arecord medium carrying such programs in storage.

BACKGROUND ART

Recently an automatic tag identification system such as RFID (RadioFrequency Identification) is increasingly introduced. The systemcomprises an information record medium of a small size referred to as“tag device”, a reading machine referred to as “reader” and a databaseserver referred to as “backend apparatus”, and is utilized incontrolling the distribution of articles. A summary of this technologywill be given below.

[Processing by Tag Device]

In a basic automatic tag identification system, each tag device has atag ID information which is inherent thereto (for example, a tag ID asprescribed by Auto-ID center of MIT comprises a manufacturer code, agoods code indicating the variety of goods and a serial numberindicating the number of a particular one of goods) in storage therein.The tag device is applied to articles or the like, and the tag IDinformation which is inherent to each tag device is transmitted by radiocommunication to a reader installed in a store or the like.

[Processing by Reader]

A reader reads tag ID information from a tag device through radiocommunication, and sends the tag ID information to a backend apparatusto solicit an acquisition of products distribution information.

[Processing by Backend Apparatus]

A backend apparatus controls a database for ID's from each tag deviceand for products distribution information or the like. And the backendapparatus retrieves products distribution information or the like in thedatabase using tag ID information transmitted from the reader as a keyand transmits a result of retrieval to the reader.

[Issues in Basic Automatic Tag Identification System]

However, in the basic automatic tag identification system, anyone who isin possession of a reader can read tag ID information, and accordingly,there has been a risk that information of articles under control mayleak through eavesdropped tag ID information.

As regards this, non-patent literature 2 discloses a method in which atag device delivers a hash value to a reader.

According to this method, the tag device initially transmits a hashvalue H(id|r) for a bit combination of ID information id and a randomnumber r to the reader, which sends them to the backend apparatus. Thebackend apparatus forms a bit combination of the received random numberr and each id′ stored in the database, and determines its hash valueH(id′|r). Then it verifies whether or not the determined hash valueH(id′|r) matches with the received hash value H(id|r), and transmitsproducts distribution information or the like which corresponds to thematched id′ to the reader. In this manner, a leakage of the tag IDinformation to a third party can be prevented. It is to be noted thatH(*) means a processing which applies a hash function H to *.

In a method disclosed in Patent Applications No. 2003-111342 and No.2003-113798 which are not yet made open, a privileged ID which makes tagID information confidential is employed to prevent a leakage of tag IDinformation to a third party. Specifically, in these techniques, aprivileged ID is stored in a tag device, and a client apparatus whichhas read the privileged ID solicits a security server apparatus on anetwork to decrypt the privileged ID. In response to the solicitation,the security server apparatus responds with a plain text tag IDinformation which is a decrypted result for the privileged ID after ithas confirmed that the client is a regular client apparatus. In thismanner, a leakage of tag ID information to a third party can beprevented.

-   non-patent literature 1: EPC global, Inc., “EPC global”, [online],    [retrieved Sep. 9, 2004], internet <http://www.epcglobalinc.org/>.-   non-patent literature 2: Stephen A. Weis, Sanjay E. Sarma, Ronald L.    Rivest, Daniel W. Engels, Security and Privacy Aspects of Low-Cost    Radio Frequency Identification Systems, First International    Conference on Security in Pervasive Computing.

DISCLOSURE OF THE INVENTION

Issues to be Solved by the Invention

However, with a conventional method, it is possible that a distributionprocess may be traced utilizing information which is delivered from atag device.

Specifically, with the method disclosed in non-patent literature 2, forexample, a hash value H(id|r) which is transmitted from a tag device toa reader is simply a random number to a third party who does not knowid. A random number r is generated each time a communication occursbetween the tag device and the reader, and accordingly, the hash valueH(id|r) changes from communication to communication. Accordingly, anattacker normally cannot gain a knowledge of an association between thehash value H(id|r) which is eavesdropped from the tag device and a hashvalue H(id|r_(i)) in a history of past communications. However, if anattacker could acquire ID information id as by tampering with the tagdevice, he could then calculate a hash value H(id|r_(i)) from the randomnumber r_(i) in the history of past communications (if he knows a hashfunction H). By verifying whether or not the calculated value coincideswith the hash value (corresponding to the random number r_(i)) in thehistory of past communications, the attacker can know whether or not thehistory of the communications is one which corresponds to the acquiredID, and thus can trace a distribution process of the tag device bycollecting the history of communications corresponding to this ID.

Also in the method disclosed in Patent Application No. 2003-111342 orthe like, for example, because the radio tag device always returns asame privileged ID, the attacker can trace the distribution process ofthe tag device by tracing the privileged ID if he cannot decrypt ID inplain text.

The present invention has been made in view of such aspect, and has forits object the provision of a technology which is capable of preventinga tracing of the distribution process of tag device by a third party.

Means to Solve Isses

To overcome above issues, a tag device is arranged to have privilegedinformation for tag ID information in storage, and it is updated byoverwriting at a given opportunity. This makes it difficult for anattacker to realize an association between information delivered in thepast from a tag device and an updated privileged information, leading toa difficulty to trace the distribution process of the tag device.

By way of example, according to a first invention, a confidential valuewhich corresponds to respective tag ID information is stored in aconfidential value memory of respective tag devices. In response to anaccess from a reader, an output section of the tag device delivers a tagoutput information which corresponds to the confidential value in theconfidential value memory. The tag device includes a first calculator,which reads out at least part of elements of the confidential value inthe confidential value memory, and which applies a first function, theinverse image of which is difficult to obtain, and the confidentialvalue in the confidential value memory is updated by overwriting with aresult of such calculation. Since the confidential value in theconfidential value memory is updated by overwriting, if an attackeracquires a confidential value stored in the confidential value memory asby tampering, the updated confidential value does not correspond toinformation which is transmitted from the tag device before the update.Since the update is achieved by applying the first function F1, theinverse image of which is difficult to obtain, it is difficult to obtainthe confidential value before the update from a confidential value whichprevails at a certain point in time. Accordingly, the attacker cannotknow a correspondence between the tag device and the history ofcommunications,

According to a second invention, for example, in an updater which isprovided externally of a tag device, privileged ID information stored inthe tag device is updated at a given opportunity into a new privilegedID information, an association of which with the original privileged IDinformation is difficult to follow. When the privileged ID informationis updated in this manner, an attacker cannot know a correspondencebetween a privileged ID information which is delivered from the tagdevice to backend apparatus before the update and new privileged IDinformation after the update. Accordingly, the attacker cannot know thecorrespondence between the tag device and the history of communications.

EFFECTS OF THE INVENTION

As mentioned above, according to the present invention, a third partycannot know the correspondence between a tag device and a history ofcommunications, and accordingly, a tracing of a distribution process ofthe tag device by a third party can be prevented.

BREIF DESCRIPTION OF THE DRAWINGS

[FIG. 1] A is a block diagram illustrating an entire automatic tagidentification system according to a first mode of carrying out theinvention; B and C are block diagrams illustrating schematicarrangements of a tag device and a backend apparatus, respectively;

[FIG. 2] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 1;

[FIG. 3] is a flow chart for describing processing in the embodiment 1;

[FIG. 4] is an illustration of an overall arrangement of an automatictag identification system according to an embodiment 2;

[FIG. 5] is an illustration of an overall arrangement of an automatictag identification system according to an embodiment 3;

[FIG. 6] is a flow chart for describing processing by a backendapparatus of the embodiment 3;

[FIG. 7] is an illustration of an overall arrangement of an automatictag identification system according to an embodiment 4;

[FIG. 8] is a flow chart for describing processing by the backendapparatus of the embodiment 4;

[FIG. 9] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 5;

[FIG. 10] A is a flow chart for describing processing by a tag device ofthe embodiment 5, and B is a flow chart for describing processing by abackend apparatus of the present embodiment;

[FIG. 11] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 6;

[FIG. 12] is a flow chart for describing processing in the embodiment 6;

[FIG. 13] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 7;

[FIG. 14] is a flow chart for describing processing in the embodiment 7;

[FIG. 15] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 8;

[FIG. 16] A is an illustration of data which is stored in theconfidential value memory of a tag device, and B is an illustration ofdata stored in a database memory of a backend apparatus;

[FIG. 17] is a flow chart for describing processing in the embodiment 8;

[FIG. 18] is a flow chart for describing processing in the embodiment 8;

[FIG. 19] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 9;

[FIG. 20] A is an illustration of data stored in the confidential valuememory of a tag device, and B is an illustration of data stored in adatabase memory of a backend apparatus;

[FIG. 21] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 10;

[FIG. 22] is a flow chart for describing processing by a tag device ofthe embodiment 10;

[FIG. 23] is a flow chart for describing processing by a backendapparatus of the embodiment 10;

[FIG. 24] is an illustration of an overall arrangement of an automatictag identification system of an embodiment 11;

[FIG. 25] is a flow chart for describing processing by a tag device ofthe embodiment 11;

[FIG. 26] is a flow chart for describing part of processing by a backendapparatus of the embodiment 11;

[FIG. 27] is a flow chart for describing a processing by a tag device ofan embodiment 12;

[FIG. 28] is a block diagram showing a schematic arrangement of a secondmode for carrying out the invention;

[FIG. 29] is a conceptual view illustrating an overall arrangement of anupdater system of an embodiment 14;

[FIG. 30] is a block diagram showing a functional arrangement of anupdater system of the embodiment 14;

[FIG. 31] is a flow chart for describing a processing procedure of theembodiment 14;

[FIG. 32] is a block diagram showing a functional arrangement of anupdater system of an embodiment 15;

[FIG. 33] is a flow chart for describing a processing procedure of theembodiment 15;

[FIG. 34] is a block diagram showing a functional arrangement of anupdater system of an embodiment 16;

[FIG. 35] is a flow chart for describing a processing procedure in theembodiment 16;

[FIG. 36] is a block diagram illustrating a functional arrangement of anupdater system of an embodiment 17;

[FIG. 37] is a flow chart for describing a processing procedure of theembodiment 17;

[FIG. 38] is a conceptual view showing an overall arrangement of anupdater system of an embodiment 18;

[FIG. 39] s a block diagram showing a functional arrangement of anupdater system of the embodiment 18;

[FIG. 40] is a flow chart for describing a processing procedure of theembodiment 18;

[FIG. 41] is a block diagram showing a functional arrangement of anupdater system of an embodiment 19;

[FIG. 42] is a flow chart for describing a processing procedure of theembodiment 19;

[FIG. 43] is a block diagram showing a functional arrangement of anupdater system of an embodiment 20;

[FIG. 44] is a flow chart for describing a processing procedure of theembodiment 20;

[FIG. 45] is a block diagram showing a functional arrangement of anupdater system of an embodiment 21;

[FIG. 46] is a block diagram showing a functional arrangement of anupdater system of an embodiment 22;

[FIG. 47] is a conceptual view illustrating an overall arrangement of anupdater system of an embodiment 23;

[FIG. 48] is an illustration of a functional arrangement of the updatersystem of the embodiment 23;

[FIG. 49] is a flow chart for describing a processing procedure of theembodiment 23;

[FIG. 50] is a flow chart for describing a processing procedure of theembodiment 23;

[FIG. 51] is an illustration of a functional arrangement of a securityserver apparatus of an embodiment 24;

[FIG. 52] is an illustration of a format used in the embodiment 24;

[FIG. 53] is a flow chart for describing a processing procedure of thesecurity server apparatus of the embodiment 24;

[FIG. 54] is an illustration of a functional arrangement of an updatersystem of an embodiment 25;

[FIG. 55] is an illustration of a functional arrangement of an updatersystem of the embodiment 25;

[FIG. 56] is a flow chart for describing a processing procedure of theembodiment 25;

[FIG. 57] is a flow chart for describing a processing procedure of theembodiment 25; and

[FIG. 58] is an illustration of a functional arrangement of a tag devicein an embodiment 26.

Description of Characters

-   -   1 automatic tag identification system    -   10 tag device    -   11 confidential value memory    -   12 first calculator    -   13 second calculator    -   14 output section    -   20 reader    -   30 backend apparatus    -   31 database memory    -   32 input section    -   33 calculator    -   34 comparator    -   35 read-out section    -   40 network    -   1500 updater system    -   1510 tag device    -   1511 confidential value memory    -   1512 read/write section    -   1513 output section    -   1514 input section    -   1560 security server apparatus    -   1561 input section    -   1562 updater    -   1563 output section

BEST MODES FOR CARRYING OUT THE INVENTION

Several modes for carrying out the present invention will be describedbelow with reference to the drawings.

[First Mode]

<Arrangement>

FIG. 1A is a block diagram illustrating an entire automatic tagidentification system 1 according to a first mode. B and C are blockdiagrams illustrating schematic arrangements of a tag device 10 and abackend apparatus 30, respectively.

As illustrated in FIG. 1A, an automatic tag identification system 1 ofthe present mode comprises a tag device 10, a reader 20, and a backendapparatus 30 which is connected to the reader 20 through a network 40.

As illustrated in FIG. 1B, the tag device 10 of the present modecomprises a confidential value memory 11 in which a confidential valuecorresponding to each tag ID information is stored, a first calculator12 for applying a first function F1, the inverse image of which isdifficult to obtain, a second calculator 13 for applying a secondfunction F2 which disturbs a relationship between elements of a domainof definition and its mapping and an output section 14 for deliveringtag output information which corresponds to a confidential value in theconfidential value memory 11 to the backend apparatus 30.

As illustrated in FIG. 1C, the backend apparatus 30 of the present modecomprises a database memory 31 containing respective tag ID informationand corresponding confidential values in a manner relating to eachother, an input section 32 for accepting an input of tag outputinformation, a calculator 33 for applying the first function F1 and thesecond function F2, a comparator 34 for comparing a result ofcalculation in the calculator 33 against the tag output information, anda read-out section 35 for extracting information from the databasememory 31.

<Processing by the Tag Device 10>

When the tag device 10 receives a read-out demand from the reader 20,the second calculator 13 of the tag device 10 initially reads out aconfidential value from of the confidential value memory 11, andgenerates the tag output information which is obtained by applying thesecond function F2 thereto. This tag output information is delivered tothe output section 14 where it is delivered (by either radio or wirecommunication) to the backend apparatus 30. Subsequently, the firstcalculator 12 reads out at least part of the elements of theconfidential value from the confidential value memory 11, applies thefirst function F1 thereto, and updates the confidential value in theconfidential value memory 11 by overwriting with a result of suchcalculation. While the confidential value in the confidential valuememory 11 is updated by overwriting after the tag output information hasbeen generated, an arrangement may be such that the tag outputinformation is generated after the confidential value in theconfidential value memory 11 is updated by the overwriting.

<Processing by the Reader 20>

The reader 20 accepts an input of the tag output information which isdelivered from the tag device 10 to the backend apparatus 30, andtransmits it to the backend apparatus 30 through the network 40.

<Processing by the Backend Apparatus 30>

The input section 32 of the backend apparatus 30 accepts an input of thetag output information which is transmitted from the reader 20. Thistriggers the calculator 33 to apply the first function F1 used in thetag device 10 some number of times to elements which represent at leastpart of the confidential value in the database memory 31 and also toapply the second function F2 used in the tag device 10. Result ofcalculation in the calculator 33 are successively compared against thetag output information in the comparator 34, and when a matchingtherebetween is found, the read-out section 35 extracts the tag IDinformation which is related to the confidential value which correspondsto the matched result of calculation from the database memory 31.

EMBODIMENT 1

FIG. 2 illustrates an overall arrangement of an automatic tagidentification system 100 in an embodiment 1 according to the firstmode, and FIG. 3 is a flow chart for describing processing in theembodiment 1.

Referring to these Figures, the functional arrangement and a method ofprocessing in the embodiment 1 will be described below.

<Arrangement>

As illustrated in FIG. 2, the automatic tag identification system 100 ofthe embodiment 1 comprises a tag device 110, a reader 120 and a backendapparatus 130 which is connected to the reader 120 through a network 140so as to be capable of communication therewith. While in FIG. 2, onlyone tag device 110 is shown for purpose for simplifying the description,it should be noted that more tag devices exist in actuality. Inaddition, while one reader 120 and one backend device 130 are shown inFIG. 2, more readers 120 and backend apparatus 130 may be used toconstruct the present system.

<Tag Device>

The tag 110 device in this example comprises a confidential value memory111, a hash calculator 112 (equivalent to “second calculator”), a hashcalculator 113 (equivalent to “first calculator”), an interface 114(equivalent to “output section”), and a controller 115 including amemory 115 a.

It is to be noted that the confidential value memory 111 and the memory115 a are memories capable of read/write operation such as EEPROM(Electronically Erasable and Programmable Read Only Memory), FeRAM(Ferroelectric Random Access Memory), a flash memory, NV (Nonvolatile)RAM or the like, for example.

The hash calculator 112 and the hash calculator 113 are integratedcircuits constructed to apply one way functions or hash functions G, H:{0, 1}*→{0, 1}^(L) to input values, for example, and to deliver resultsobtained. It is to be noted that {0, 1}* represents a set of all binaryseries and {0, 1}^(L) represents a set of binary series having an L-bitlength. Such hash functions G, H can be illustrated by SHA-1, MD5 or thelike. It is to be noted that the hash function H is equivalent to “afirst function F1, the inverse image of which is difficult to obtain”,and the hash function G is equivalent to “a second function F2 whichdisturbs a relationship between elements of a domain of definition andits mapping”. It is also to be noted that the controller 115 is anintegrated circuit constructed so as to control processing of the entiretag device 110.

The interface 114 is a hardware which delivers data to the reader 120 byradio or wire communication, for example. Specifically, the interface114 comprises an encoder/decoder circuit which performs anencoding/decoding using NRZ code, Manchester encoding, Miller code,single polarity RZ encoding or the like, a modulation/demodulationcircuit which performs a modulation/demodulation by using the ASK(Amplitude Shift Keying), PSK (Phase Shift Keying), FSK (Frequency ShiftKeying) or the like, and an antenna such as a dipole antenna, amicrostrip antenna, a loop antenna or a cored coil to perform atransmission and reception of a signal using frequency in a lowfrequency band or ISM band (Industry Science Medical band). It is to benoted that the communication system utilizes the electromagneticinduction system or radio wave system.

The hash calculator 112 and the hash calculator 113 are electricallyconnected to the confidential value memory 111, and the hash calculator112 is electrically connected to the interface 114 (equivalent to“output section”). While omitted from illustration in this Figure, thecontroller 115 is electrically connected to various portions of the tagdevice 110.

<Reader>

The reader 120 in this example comprises a products distributioninformation memory 121, an interface 122, a communication section 123, amemory 124 a, and a controller 124.

The products distribution information memory 121 comprises a magneticrecorder such as a hard disc unit, flexible disc, or the like, anoptical disc unit such as DVD-RAM (Random Access Memory), CD-R(Recordable)/RW (ReWritable) or the like, a magneto-optical recordersuch as MO (Magneto-Optical disc), a semiconductor memory such asEEP-ROM (Electronically Erasable and Programmable-Read Only Memory), aflash memory or the like, for example. The interface 122 is a hardwarewhich is similar to the example of the interface 114, for example. Thecommunication section 123 comprises a LAN card, modem, a terminaladapter or the like, for example, and the controller 124 comprises CPU(Central Processing Unit) of CISC (Complex Instruction Set Computer)type, RICS (Reduced Instruction Set Computer) type or the like andincluding the memory 124 a.

The interface 122 and the products distribution information memory 121are electrically connected to the communication section 123, and whileomitted from illustration in this Figure, the controller 124 iselectrically connected to various portions of the reader 120.

<Backend Apparatus>

The backend apparatus 130 in this example comprises a database memory131, a communication section 132 (equivalent to “input section”), a hashcalculator 133 (equivalent to “third calculator”), a comparator 134, aread/write section 135 (equivalent to “read-out section”), a memory 136a and a controller 136. Specifically, the backend apparatus 130 isconstructed by the execution of a given program by a known computer ofNeumann type including CPU, RAM, ROM (Read Only Memory), an externalmemory such as a magnetic recorder, an optical disc unit or the like, aLAN card, a modem, a terminal adapter or the like, which are connectedtogether by buses. The CPU reads out a program stored in the RAM andexecutes a processing operation in accordance therewith to implementprocessing functions which are indicated below.

<Pre-Processing>

A given program is installed into the backend apparatus 130 so that thehash calculator 133 of the backend apparatus 130 can use the same hashfunctions G and H as contained in the tag device 110.

A confidential value s_(k, 1) (equivalent to “first confidential value”)which corresponds to each tag ID information id_(k)(kε{, 1 . . . , m}where k corresponds to each tag device and m a total number of tagdevices) is stored, one each, in the confidential value memory 111 ofeach tag device 110. The confidential value s_(k, 1) is a pseudo-randomnumber s_(k, 1)ε{0, 1}^(L) which is generated by a random numbergenerator (not shown) which is provided externally of the tag device110, for example, in accordance with pseudo-random number generatingalgorithm which is based on a computer theory which uses a one-way hashfunction such as SHA-1 or the like. It is assumed that the randomnumbers s_(k, 1) which are stored in different tag devices are mutuallynon-coincident. A confidential value s_(n, 1) (equivalent to “secondconfidential value”, nε{1, . . . , m} and n corresponds to k)corresponding to each tag device n, tag ID information id_(n) and datasuch as products distribution information data_(n) are stored in thedatabase memory 131 of the backend apparatus 130 in a manner relating toeach other.

<Processing by Tag Device>

Processings which occur when the tag device 110 is read by the reader120 at an i-th run (where i is a natural number) will be describedbelow. It is to be noted that the processing by the tag device 110 takesplace under the control of the controller 115, and data which isnecessary for the control is sequentially read and written from or intothe memory 115 a.

Initially, in the hash calculator 112, a confidential value s_(k, i)(equivalent to “first confidential value”) is read from the confidentialvalue memory 111 (step S1), and its hash value or tag output informationG(s_(k, i)) is generated (step S2). This tag output informationG(s_(k, i)) is sent to the interface 114 where it is transmitted to thereader 120 by either radio or wire communication (step S3).

Next, in the hash calculator 113, a hash value s_(k, i+1)=H(s_(k, i)) ofthe confidential value s_(k, i) which is read from the confidentialvalue memory 111 is calculated (step S4), and the hash value s_(k, i+1)is saved in the confidential value memory 111 by overwriting as a newconfidential value s_(k, i+1) (equivalent to “new first confidentialvalue”). (The confidential value s_(k, i) in the confidential valuememory 111 is erased, and instead the confidential value s_(k, i+1) isstored: step S5.) It is to be understood that H(*) implies a processingoperation which applies the hash function H to *.

<Processing by the Reader>

The processing by the reader 120 takes place under the control of thecontroller 124, and data which is necessary for the control issequentially read from or written into the memory 124 a.

Initially, the interface 122 of the reader 120 receives tag outputinformation G(s_(k, i)) transmitted from the tag device 110 (step S6),and sends it to the communication section 123. The communication section123 extracts products distribution information pd (such as a store codewhere the reader 120 is installed, for example) from the productsdistribution information memory 121 (step S7), and transmits theproducts distribution information pd together with the tag outputinformation G(s_(k, i)) to the backend apparatus 130 through the network140 (step S8).

<Processing by the Backend Apparatus>

Processing by the backend apparatus 130 takes place under the control ofthe controller 136, and data which is necessary for the control issequentially read and written from and into the memory 136 a.

Initially, the communication section 132 of the backend apparatus 130receives the products distribution information pd and tag outputinformation G(s_(k, i)) transmitted by the reader 120 (accepts inputs:step S9). The received products distribution information pd and tagoutput information G(s_(k, i)) are stored in the memory 136 a. Next, thecontroller 136 enters 1 for n, which is then stored in the memory 136 a(step S10). The controller 136 then causes the hash calculator 133 toextract a confidential value s_(n, 1) from the database memory 131 whilereferring to n value in the memory 136 a (step S11). The controller 136then enters 0 for j, which is then stored in the memory 136 a (stepS12). The controller 136 then refers to j value in the memory 136 a andcauses the hash calculator 133 to calculate a hash valueG(H^(j)(s_(n, 1))) (equivalent to “result of calculation in the thirdcalculator”) (step S13). It is to be noted that H^(j)(s_(n, 1)) impliesapplying the hash function H to the confidential value s_(n, 1) j times.H⁰(s_(n, 1)) implies s_(n, 1).

Subsequently, in the comparator 134, the hash value G(H^(j)(s_(n, 1)))is acquired from the hash calculator 133 and the tag output informationG(s_(k, i)) is acquired from the memory 136 a, and the comparator 134compare them against each other (step S14).

When these values do not match (step S15), the controller 136 enters j+1for j in the memory 136 a (step S16), and determines whether or not jhas exceeded a given maximum value j_(max) (step S17). When j is equalto or less than the maximum value j_(max), the controller 136 causes theprocessings which start with the step S13 to be executed again, and whenj exceeds the maximum value j_(max), it determines whether or not n inthe memory 136 a is equal to m (step S18). If n=m does not apply, thecontroller 136 causes n+1 to be stored for n in the memory 136 a (stepS19), and causes the processings which start with step S11 to beexecuted again, and terminate the processings if n=m. It is to be notedthat such processing is equivalent to executing the processings in thehash calculator 133 and the comparator 134 again by changing the valueof at least one of n and j under the control of the controller 136 whenthe tag output information G(s_(k, i))—and the hash valueG(H^(j)(s_(n, 1))) do not match.

On the other hand, in the event the tag output information G(s_(k, i))and the hash value G(H^(j)(s_(n, 1))) match (step S15), the controller136 sends the confidential value s_(n, 1) corresponding to the matchedhash value G(H^(j)(s_(n, 1))) to the read/write section 135, which thenextracts tag ID information id_(n) and data such as productsdistribution information data_(n) which are related to the confidentialvalue s_(n, 1) corresponding to the matched hash valueG(H^(j)(s_(n, 1))) from the database memory 131 and sends them to thecommunication section 132 (step S20). The read/write section 135receives the products distribution information pd from the memory 136 aand writes it into the database memory 131 in a manner relating to theconfidential value s_(n, 1) (step S20).

The tag ID information id_(n) and the data data_(n) sent to thecommunication section 132 are transmitted to the reader 120 through thenetwork 140 (step S21), and are received by the communication section123 of the reader 120 to be delivered (step S22).

<Features of Embodiment 1>

[Impossibility of Tracing]

In the embodiment 1 of the present mode, the hash value G(s_(k, i)) isused in the communication as a tag output information. On account of theincapability of recognizing a hash value, this hash value G(s_(k, i))appears to be a random number simply for an attacker who does not know aconfidential value. Accordingly, this attacker cannot know whether ornot G(s_(k, i)) and G(s_(k, i+1)) are delivered from the same tag device110, and therefore, cannot trace the distribution process of the tagdevice 110.

[Forward Security]

In the embodiment 1 of the present mode, the confidential value in theconfidential value memory 111 which is used in the communication isarranged to be updated in accordance with a hash function H. If the tagdevice 110 is subjected to a tampering to leak the confidential values_(k, i), the attacker cannot determine the past confidential values_(k, i−Δi) from the confidential value s_(k, i) because of the one-waynature of the hash function. Accordingly, if the confidential values_(k, i) leaks, the attacker cannot find a correspondence between theacquired confidential value s_(k, i) and the history of communications,and hence cannot trace the tag device 110.

[Traceability]

On the other hand, on account of the difficulty of collisions betweenthe hash functions G and H (the property that hash values for differentvalues hardly assume a same value), the backend apparatus 130 whichknows the confidential value s_(n, 1) can trace the distribution processof the tag device 110.

[Efficiency]

Because only the calculation of hash functions constructs communicationdata, the scale of a circuit which is incorporated in the tag device 110is small as compared with a conventional method of generating randomnumbers, and thus lends itself to an application for which a low priceis demanded.

The hash value H^(j)(s_(n, 1)) which is calculated at step S13 in thebackend apparatus 130 may be recorded in the memory 136 to be utilizedat a step S13 of the next loop. Specifically, using the recordedH^(j)(s_(n, 1)), a hash value H^(j+1)(s_(n, 1)) maybe determined byH(H^(j)(s_(n, 1))), and this value may be stored in the memory 136 a. Inthis instance, the number of times the hash calculation is made in thehash calculator 133 can be reduced, allowing the calculation efficiencyof the backend apparatus 130 to be improved.

EMBODIMENT 2

An embodiment 2 is a modification of the embodiment 1, and differs fromthe embodiment 1 only in respect of the fact that the tag deviceadditionally carries tag ID information id_(k) (equivalent to “firstproper value w_(k)”) to update the confidential value s_(k, i) accordingto s_(k, i+1)=H(s_(k, i)|id_(k)). In the description to follow, onlydistinctions over the embodiment 1 will be described.

FIG. 4 illustrates an overall arrangement of an automatic tagidentification system 200 according to the embodiment 2. It is to benoted that in this Figure, parts which are common with the embodiment 1are designated by common characters as used in the embodiment 1.Referring to this Figure, the functional arrangement and a processingmethod of the embodiment 2 will be described below.

<Pre-Processing>

A distinction over the embodiment 1 lies in the fact that tag IDinformation id_(k) and a corresponding confidential value s_(k, i) arestored in a confidential value memory 211 of a tag device 210. A backendapparatus 130 includes a database memory 131 in which a confidentialvalue s_(n, 1), tag ID information id_(n) and data such as productsdistribution information data_(n) which correspond to each tag device nare stored in a manner relating them to each other, and this tag IDinformation id_(n) is equivalent to “second proper value w_(n)”.

<Processing by Tag Device>

A difference with respect to the embodiment 1 lies only in theprocessing at step S4. Specifically, in place of the processing at thestep S4 in the embodiment 1, a hash calculator 213 (equivalent to “firstcalculator”) extracts a confidential value s_(k, i) and tag IDinformation id_(k) from a confidential value memory 211 to calculates_(k, i+1)=H(s_(k, i)|id_(k)). It is to be noted that α|β implies a bitcombination of α and β. This result of calculation is overwritten intothe confidential value memory 211 as a confidential value s_(k, i+1).

<Processing by Reader>

This remains to be the same as in the embodiment 1.

<Processing by Backend Apparatus>

A difference with respect to the embodiment 1 lies only in theprocessings at steps S11, S13, and S14. Specifically, in the embodiment2, in place of step S11, a hash calculator 233 (equivalent to “thirdcalculator”) of a backend apparatus 230 extracts a confidential values_(n, 1) and corresponding tag ID information id_(n) from the databasememory 131.

Then, in the similar manner as in the embodiment 1, the controller 136enters 0 for j, and stores it in the memory 136 a (step S12).Subsequently, in place of step S13, the hash calculator 233 calculates ahash value G(I^(j)(n)). Here, a definition is made thatI^(j)(n)=s_(n, 1) (j=0), I^(j)(n)=H(I^(j−1)(n)|id_(n)) (j≧1). Thus thehash calculator 233 determines I^(j)(n) recurrently from theconfidential value s_(n, 1) and the corresponding tag ID informationid_(n), and calculates its hash value G(I^(j)(n)). This recurrentcalculation is implemented by temporarily storing each I^(j′)(n) (j′ε{1,. . . , j−1}) appearing in the calculation process in the memory 136 ato be used in the calculation of next I^(j′+1)(n). I^(j)(n) which isobtained when calculating the hash value G(I^(j)(n)) may be saved in thememory 136 a at least until the next hash value G(I^(j+1)(n)) iscalculated. In this manner, I^(j)(n) which is once obtained can beutilized in the calculation of I^(j+1)(n)=H(I^(j)(n)|id_(n)) which isused in determining the next hash value G(I^(j+1)(n)), allowing animproved efficiency of calculation.

Subsequently, in place of step S14, a comparator 134 acquires the hashvalue G(I^(j)(n)) from the hash calculator 233 and tag outputinformation G(s_(k, i)) from the memory 136 a and compare them againsteach other. Subsequently, the processings at step S15 and subsequentsteps are executed in the similar manner as in the embodiment 1.

As described above, in the embodiment 2, the confidential value s_(k, i)in the confidential value memory 211 of the tag device 210 is updated bya calculation s_(k, i+1)=H(s_(k, i)|id_(k)). In this manner, a situationthat updated contents of confidential values which correspond todifferent tag ID information id_(k) may become semi-permanentlycoincident can be prevented. Specifically, when the same hash functionis applied to different confidential values or the like, it is possiblethat result of these calculations may become coincident at a certainpoint in time (collision). However, even in such instance, tag IDinformation id_(k) which corresponds to each confidential value s_(k, i)is different, and hence a next confidential value which is calculatedaccording to s_(k, i+1)=H(s_(k, i)|id_(k)) cannot be the same. Thisrepresents an effect that cannot be obtain when a confidential value isupdated according to s_(k, i+1)=H(s_(k, i)).

While tag ID information id_(k) and id_(n) have been used as the firstproper value w_(k) and the second proper value w_(n) in the embodiment2, other information which corresponds to each tag ID information may beused as a proper value.

EMBODIMENT 3

This represents a modification of the embodiment 1, and the differencewith respect to the embodiment 1 exists only in recording a calculatedvalue G(H^(j)(s_(n, 1))) (j=0, . . . , j_(max)) which is previouslycalculated in the backend apparatus. Only a distinction over theembodiment 1 will be described below.

FIG. 5 is an illustration of an overall arrangement of an automatic tagidentification system 300 according to an embodiment 3. In this Figure,parts which are common to the embodiment 1 are designated by commoncharacters as used in the embodiment 1. FIG. 6 is a flow chart fordescribing processings by a backend apparatus 330 in the embodiment 3. Afunctional arrangement and the processing method of the embodiment 3will be described below with reference to these Figures.

<Pre-Processing>

Storing a result of calculation G(H^(j)(s_(n, 1))) (j=0, . . . ,j_(max)) which is previously calculated by the hash calculator 133 in adatabase memory 331 of the backend apparatus 330 in a manner relating itto the confidential value s_(n, 1) represents a sole distinction withthe respect to the first mode.

<Processing by Tag Device/Processing by Reader>

These remain to be similar to the embodiment 1.

<Processing by Backend Apparatus>

Initially, the backend apparatus 330 receives the products distributioninformation pd and tag output information G(s_(k, i)) transmitted fromthe reader 120 by means of a communication section 132 (step S31). Thereceived products distribution information pd and tag output informationG(s_(k, i)) are stored in a memory 136 a. A controller 136 then enters 1for n, and stores it in the memory 136 a (step S32). The controller 136then enters 0 for j, and stores it in the memory 136 a (step S33). Thecontroller 136 extracts a result of calculation G(H^(j)(s_(n, 1)))stored in a database memory 331 while referring to values of n and j inthe memory 136 a (step S34).

Then, a comparator 134 compares this result of calculationG(H^(j)(s_(n, 1))) against the tag output information G(s_(k, i)) whichis extracted from the memory 136 a (step S35).

In the event these values do not match (step S36), the controller 136enters j+1 for j in the memory 136 a (step S37) and determines whetheror not j has exceeded the given maximum value j_(max) (step S38). If jis less than the maximum value j_(max), the controller 136 causesprocessings at step S34 and subsequent steps to be re-executed, and whenj exceeds the maximum value j_(max), it determines whether or not n inthe memory 136 a is equal to m (step S39). If n=m does not apply, thecontroller 136 stores n←n+1 (making n+1 to be a new n) in the memory 136a (step S40), causes processings at step 33 and subsequent steps to bere-executed, and terminates the processing operations for n=m. Thisoperation is equivalent to re-executing the processings in the hashcalculator 133 and the comparator 134 by changing the value of at leastone of n and j under the control of the controller 136 when the tagoutput information G(s_(k, i))—and the hash value G(H^(j)(s_(n, 1))) donot match.

On the other hand, when the tag output information G(s_(k, i)) and thehash value G(H^(j)(s_(n, 1))) match (step S36), the controller sends theconfidential value s_(n, i) corresponding to the matched result ofcalculation G(H^(j)(s_(n, 1))) to the read/write section 135, whichextracts the tag ID information id_(n) and data data_(n) such as theproducts distribution information or the like which are related to theconfidential value s_(n, 1) which corresponds to the matched hash valueG(H^(j)(s_(n, 1))) from the database memory 331 and sends them to thecommunication section 132 (step S40). The read/write section 135receives the products distribution information pd from the memory 136 a,and writes this products distribution information pd into the databasememory 131 by relating it to the confidential value s_(n, 1) (step S40).The tag ID information id_(n) and the data data_(n) which are sent tothe communication section 132 are transmitted to the reader 120 throughthe network 140 (step S41).

As described above, in the embodiment 3, an arrangement is made to storethe result of calculation G(H^(j)(s_(n, 1))) which is previouslycalculated in the database memory 331. Consequently, the amount of aprocessing in the backend apparatus 330 can be reduced as compared withan arrangement in which G(H^(j)(s_(n, 1))) is calculated for eachcomparing processing.

EMBODIMENT 4

An embodiment 4 is a modification of the embodiment 1, and differs fromthe embodiment 1 only in an arrangement that information specifying anumber of times a confidential value is updated is transmitted from atag device, and the number of times the confidential value is updated isused in a backend apparatus for purpose of processing. Only adistinction over the embodiment 1 will be described below.

FIG. 7 is an illustration of an overall arrangement of an automatic tagidentification system 400 of the an embodiment 4. In this Figure, partscommon to the embodiment 1 are designated by common characters as usedin the embodiment 1. FIG. 8 is a flow chart for describing processing bya backend apparatus 430 of the embodiment 4. A functional arrangementand a processing method of the embodiment 4 will be described below withreference to these Figures.

<Arrangement of Tag Device>

A distinction over the embodiment 1 resides in a provision of a counter416 in a tag device 410 which counts a number of times rn a confidentialvalue is updated.

<Processing by Tag Device>

A distinction over the embodiment 1 resides in only an arrangement whichstores a number of times rn a confidential value s_(k, i) is updated ascounted by a counter 416 in a confidential value memory 411 of a tagdevice 410 in addition to the confidential value s_(k, i) and anarrangement by which information which specifies the number of times rnthe update is performed is transmitted to the reader 120 through a hashcalculator 112 and an interface 114 (equivalent to “output section”).

<Processing by Reader>

A distinction over the embodiment 1 resides only in an arrangement inwhich an interface 122 also receives information specifying a number oftimes rn the update is performed and a communication section 123transmits information specifying the number of times rn the update isperformed to the backend apparatus 430 through the network 140.

<Processing by Backend Apparatus>

Initially, the communication section 132 of the backend apparatus 330receives information specifying rn, products distribution information pdand tag output information G(s_(k, i)) which are transmitted from thereader 120 (step S50). Information specifying rn, the productsdistribution information pd and the tag output information G(s_(k, i))which have been received are stored in the memory 136 a. Then thecontroller 136 enters 1 for n, and stores it in the memory 136 a (stepS51). The controller 136 then causes a hash calculator 433 to extract aconfidential value s_(n, 1) from the database memory 131 while referringto values of n and j in the memory 136 a (step S52), and causes the hashfunction H to be applied thereto rn times and also causes the hashfunction G to be applied subsequently, thus allowing a hash valueG(H^(j)(s_(n, 1))) (j=rn) to be calculated (step S53).

Then the comparator 134 acquires the hash value G(H^(j)(s_(n, 1))) fromthe hash calculator 133 and the tag output information G(s_(k, i)) fromthe memory 136 a and compare them against each other (step S54).

In the event these values do not match (step S55), the controller 136determines whether or not n in the memory 136 a is equal to m (stepD56). If n=m does not apply, the controller 136 stores n←n+1 (making n+1to be a new n) in the memory 136 a (step S57), causes processings atstep S52 and subsequent steps to be re-executed and terminates theprocessing if n=m. It is to be noted that this processing is equivalentto re-executing the processings in the hash calculator 433 and thecomparator 134 by changing the value of n when the hash valueG(H^(j)(s_(n, 1))) and the tag output information G(s_(k, i)) do notmatch.

On the other hand, if the tag output information G(s_(k, i)) and thehash value G(s_(k, i)) match (step S55), the controller sends theconfidential value s_(n, 1) corresponding to the matched hash valueG(s_(k, i)) to the read/write section 135, which then extracts tag IDinformation id_(n) and data data_(n) such as products distributioninformation which are related to the confidential value s_(n, 1) whichcorresponds to the matched hash value G(H^(j)(s_(n, 1))) from thedatabase memory 131 and sends them to the communication section (stepS58). The read/write section 135 receives products distributioninformation pd from the memory 136 a, and then writes this productsdistribution information pd into the database memory 131 in a mannerrelating it to the confidential value s_(n, 1) (step S59). Tag IDinformation id_(n) and data data_(n) which are sent to the communicationsection 132 are transmitted to the reader 120 through the network 140(step S59).

As described above, in the embodiment 4, an arrangement is made so thatthe tag device 410 transmits rn and the backend apparatus 430 uses thisrn to calculate the hash value G(H^(rn)(s_(n, 1))) for purpose of acomparing processing. In this manner, a comparing processing by thebackend apparatus 430 takes place only once for each s_(n, 1), allowingthe amount of the processing required to be reduced.

EMBODIMENT 5

An embodiment 5 is a modification of the embodiment 1, and differs fromthe embodiment 1 only in respect of performing an updating/comparison ofthe confidential value using a secret key encrypted function in place ofa hash function. Only a distinction over the embodiment 1 will bedescribed below.

FIG. 9 is an illustration of an overall arrangement of an automatic tagidentification system 500 of the embodiment 5. It is to be noted that inthis Figure, parts which are common to the embodiment 1 are designatedby common characters as used in the embodiment 1. FIG. 10A is a flowchart for describing processing by a tag device 510 in the embodiment 5,and FIG. 10B is a flow chart for describing processing by a backendapparatus 530 in the embodiment 5. A functional arrangement and aprocessing method of the present embodiment will be described below withreference to these Figures.

<Pre-Processing>

In the embodiment 5, a tag device 510 is provided with a key memory 515,and a backend apparatus 530 is provided with a key memory 536, eachstoring common keys KG and KH, respectively. In the tag device 510,encrypted function calculators 512 and 513 are substituted for the hashcalculators 112 and 113 of the first embodiment, and in the backendapparatus 530, an encrypted function calculator 533 is substituted forthe hash calculator 133. The encrypted function calculators 512, 513,and 533 are constructed to enable a calculation with a common keyencryption function E such as AES, Camellia or the like in place of thehash function. In the embodiment 5, the common key encryption function Ewhich uses the common KH is equivalent to “a first function F1, theinverse image of which is difficult to obtain”, and the common keyencryption function E which uses the common keys KG is equivalent to “asecond function F2 which disturbs a relationship between elements of adomain of definition and its mapping”. Thus, the first function F1 andthe second function F2 in this example represent the same common keyencryption function, to which different common keys are applied.

What is mentioned above represents a distinction over the embodiment 1.

<Processing by Tag Device>

Initially, an encrypted function calculator 512 (equivalent to “secondcalculator”) extracts a confidential value s_(k, i) from a confidentialvalue memory 111 (step S61), extracts a common key KG from a key memory515, and applies a common key encryption function E to the secret keys_(k, i) with the common key (E_(KG)(s_(k, i)): step S62). An encryptedtext E_(KG)(s_(k, i)) which is calculated is transmitted as the tagoutput information E_(KG)(s_(k, i)) from the interface 114 to the reader120 through radio or wire communication (step S63).

Then, in an encrypted function calculator 513 (equivalent to “firstcalculator”), the common key KH is extracted from the key memory 515,the confidential value s_(k, i) is extracted from the confidential valuememory 111, and the common key encryption function E is applied to theconfidential value s_(k, i) with the common key KH (step 64), and aresult of this calculation is saved by overwriting as a new confidentialvalue s_(i+1)=E_(KH)(s_(k, i)) in the confidential value memory 111(step 65).

<Processing by Reader>

This remains to be similar as in the embodiment 1,

<Processing by Backend Apparatus>

Initially, the backend apparatus 530 receives products distributioninformation pd and tag output information E_(KG)(s_(k, i)) transmittedby the reader 120 by the communication section 132 (step S70). Receivedproducts distribution information pd and tag output information E_(KG)(s_(k, i)) are stored in the memory 136 a. Then, the controller 136enters 1 for n, and stores it in the memory 136 a (step S71). Thecontroller 136 then causes the encrypted function calculator 533(equivalent to “third calculator”) to extract the confidential values_(n, 1) from the database 131 while referring to the value n in thememory 136 a (step S72). The controller 136 then enters 0 for j, andstores it in the memory 136 a (step S73). The controller 136 causes theencrypted function calculator 533 to calculate an encrypted textE_(KG)(E^(j) _(KH)(s_(n, 1))) (equivalent to “result of a calculation inthe third calculator”) while referring to the value of j in the memory136 a (step S74). It should be noted that E^(j) _(KH) (s_(n, 1)) impliesapplying a common key encryption function E to the confidential values_(n, 1) j times using the common key KH. Then the comparator 134acquires the encrypted text E_(KG)(E^(j) _(KH)(s_(n, 1))) from the hashcalculator 133 and acquires tag output information tag outputinformation EKG (s_(k, i)) from the memory 136 a, and compare themagainst each other (step S75).

In the event these values do not match (step S76), the controller 136enters j+1 for j in the memory 136 a (step S77), and determines whethernot j has exceeded a given maximum value j_(max) (step S78). If it isfound that j is equal to or less than the maximum value j_(max), thecontroller 136 causes processings at step S74 and subsequent steps to bere-executed and if j has exceeded the maximum value j_(max), determineswhether or not n in the memory 136 a is equal to m (step S79). If n=mdoes not apply, the controller 136 saves n←n+1 (making n+1 to be a mewn) in the memory 136 a (step S80), causes the processings at step 72 andsubsequent steps to be re-executed and terminates the processingoperation if n=m. It is to be noted that this processing is equivalentto re-executing the processings in the encrypted function calculator 533and the comparator 134 by changing the value of at least one of n and junder the control of the controller 136 when tag output informationE_(KG)(s_(k, i)) and the encrypted text E_(KG)(E^(j) _(KH)(s_(n, 1))) donot match.

On the other hand, if tag output information E_(KG)(s_(k, i)) and theencrypted text E_(KG)(E^(j) _(KH)(s_(n, 1))) match (step S76), thecontroller 136 sends the confidential value s_(n, 1) which correspondsto the matched encrypted text E_(KG)(E^(j) _(KH)(s_(n, 1))) to theread/write section 135, which then extracts the tag ID informationid_(n) and data data_(n) such as products distribution information whichare related to the confidential value s_(n, 1) which corresponds to thematched encrypted text E_(KG)(E^(j) _(KH)(s_(n, 1))) from the databasememory 131, and sends them to the communication section 132 (step S81).The read/write section 135 receives products distribution information pdfrom the memory 136 a, and writes the products distribution informationpd into the database memory 131 by relating it with the confidentialvalue s_(n, 1) (step S81). Tag ID information id_(n) and data data_(n)sent to the communication section 132 are transmitted to the reader 120through the network 140 (step S82).

It is to be noted that the encrypted text E^(j) _(KH)(s_(n, 1)) which iscalculated at step S74 in the backend apparatus 530 may be recorded inthe memory 136 a to be utilized at the step S74 of the next loop.Specifically, using E^(j) _(KH)(s_(n, 1)) which is recorded, anencrypted text E_(j+1) _(KH)(s_(n, 1)) may be determined according toE_(KH)(E^(j) _(KH)(s_(n, 1))), and this value may be stored in thememory 136 a again. In this instance, a number of times an encryptedcalculation is performed in the encrypted function calculator 533 can bereduced, improving the efficiency of the calculation by the backendapparatus 530. Alternatively, E^(j) _(KH)(s_(n, 1)) (jε{1, . . . ,j_(max)) may be previously calculated in the backend apparatus 530 andstored in the memory 136 a to be utilized at step S74. Again, theefficiency of calculation in the backend apparatus 530 can be improved.

While the embodiment 5 represents an example in which processings areperformed by using the common key encryption function E which uses thecommon key KH as “the first function F1, the inverse image of which isdifficult to obtain” and using the common key encryption function Ewhich uses the common key KG as “the second function F2 which disturbs arelationship between elements of the domain of definition and itsmapping”, processings may be performed by using a hash function for oneof the first function F1 and the second function F2. Also in theembodiments 1 to 4 or embodiments 6 to 11 which will be described later,processings may be performed by using a common key encryption function Ewhich uses a common key KH or KG for at least one of the first functionF1 and the second function F2.

In this manner, in the embodiment 5, an arrangement is made to update aconfidential value s_(k, i) using a common key encryption function. As aconsequence, if the confidential value s_(k, i) leaks from the tagdevice 510, it is impossible for an attacker to trace a distributionprocess of the tag device 10 on the basis of the confidential values_(k, i) and a history of communications. Since there is no need toprovide a random number generator circuit in the tag device 510, a costrequired for the tag device 510 can be reduced. In addition, if a commonkey encryption function which is lighter (requiring a lesser amount ofcalculations) than a hash function could be used, the amount ofprocessings in the tag device 510 and backend apparatus 530 can bereduced.

EMBODIMENT 6

An embodiment 6 is a modification of the embodiment 1 and differs fromthe embodiment 1 in that a hash value of a bit combination of aconfidential value s_(k, i) and a first proper value w_(k) which isinherent to each tag is used as the tag output information.

FIG. 11 is an illustration of an overall arrangement of an automatic tagidentification system 600 of the embodiment 6, and FIG. 12 is a flowchart for describing processing in the embodiment 6. It is to be notedthat in FIG. 11, parts which are common to the embodiment 1 aredesignated by common characters as used in the embodiment 1. Afunctional arrangement and a processing method of the embodiment 6 willbe described below with reference to these Figures.

<Pre-Processing>

Differences over the embodiment 1 reside in an arrangement that aconfidential value s_(k, i) corresponding to each tag ID informationid_(k)(equivalent to “first confidential value”) and a proper valuew_(k) (equivalent to “the first proper value”) are stored in aconfidential value memory 611 of each tag device 610 and an arrangementin which each tag ID information id_(n) (nε{1, . . . , m}) as well as aconfidential value s_(n, 1) (equivalent to “second confidential value”),a proper value w_(n) (equivalent to “second proper value”) and datadata_(n) such as products distribution information which correspondthereto are stored in a database memory 631 of a backend apparatus 630in a manner relating them to each other. As a proper value, tag IDinformation may be utilized, for example.

<Processing by Tag Device>

In the following, a processing which occurs when the tag device 610 isread by a reader 620 during an i-th run (i being a natural number) willbe described.

Initially, a hash calculator 612 extracts a confidential value s_(k, i)and a proper value w_(k) from the confidential value memory 611 (stepS101), and calculates tag output information G(s_(k, i)|w_(k)) byapplying a hash function G to a bit combination of the confidentialvalue s_(k, i) and the proper value w_(k) (step S102). The interface 114transmits this tag output information G(s_(k, i)|w_(k)) to the reader120 by either radio or wire communication (step S103).

Then a hash calculator 113 calculates a hash value H(s_(k, i)) byapplying the hash function H to confidential value s_(k, i) which isextracted from the confidential value memory 611 (step S1104), andoverwrites the confidential value s_(k, i) in the confidential valuememory 611 by a new confidential value s_(k, i+1) which is the hashfunction H(s_(k, i)) (the confidential value s_(k, i) in theconfidential value memory 611 is erased and the confidential values_(k, i+!) is saved instead: step S105).

<Processing by Reader>

The reader 120 receives at its interface 122 tag output informationG(s_(k, i)|w_(k)) which is transmitted from the tag device 610 (stepS106) and sends it to the communication section 123. The communicationsection 123 extracts products distribution information pd from productsdistribution information memory 121 (step S107) and transmits theproducts distribution information pd and the hash valueG(s_(k, i)|w_(k)) to the backend apparatus 630 through the network 140(step S108).

<Processing by Backend Apparatus>

The backend apparatus 630 receives the products distribution informationpd and the tag output information G(s_(k, i)|w_(k)) which aretransmitted from the reader 120 at its communication section 132 (oraccepts inputs: step S109). The received products distributioninformation and tag output information G(s_(k, i)|w_(k)) are stored in amemory 136 a.

Then the controller 136 enters 0 for parameters j and n, and store themin the memory 136 a (step S10). The controller 136 then refers to j andn in the memory 136 and causes a hash calculator 633 (equivalent to“third calculator”) to calculate a hash value G(H^(j)(s_(n, 1))|w_(n))using a set of second confidential value s_(n, i) and second propervalue w_(n) which are extracted from the database memory 631 (stepS111). It is to be noted this H^(j)(s_(n, 1)) may be calculatedbefrorehand and stored in the database memory 631. In this instance, acalculation load of the backend apparatus 630 can be alleviated.

Then, a comparator 134 acquires a hash value G(H^(j)(s_(n, 1))|w_(n))from the hash calculator 633 and acquires tag output informationG(s_(k, i)|w_(k)) from the memory 136 a and compare them against eachother (step S112).

In the event these values do not match (step S113), the controller 136enters j+1 for j in the memory 136 a (step S114), and determines whetheror not j has exceeded a given maximum value j_(max) (step S115). If j isequal to or less than the maximum value j_(max), it returns to theprocessing at step S111, but if j exceeds the maximum value j_(max), thecontroller 136 enters n+1 for n and 0 for j in the memory 136 a (stepS116), and determines whether n has exceeded a given maximum valuen_(max) (step S17). If n is equal to or less than the maximum n_(max),it returns to the processing at step S111, but if n exceeds the maximumvalue n_(max), an error termination results (step S118).

On the other hand, if a determination at step S113 reveals that the tagoutput information G(s_(k, i)|w_(k)) and the hash valueG(H^(j)(s_(n, 1))|w_(n)) match, the controller 136 applies this value ofn to the read/write section 135, which uses this n to extract id_(n) anddata_(n) which are related to the confidential value s_(n, 1) and theproper value w_(n) which correspond to the matched hash valueG(H^(j)(s_(n, i))|w_(n)) from the database memory 631, and send these tothe communication section 132. The read/write section 135 also receivesthe products distribution information pd from the memory 136 a, andwrites this products distribution information pd into the databasememory 631 in a manner relating it to the confidential value s_(n, 1)and the proper value w_(n) which correspond to the matched hash valueG(H^(j)(s_(n, 1))|w_(n)) (step S119).

id_(n) and data_(n) which are sent to the commutation section 132 aretransmitted to the reader 120 through the network 140, and are receivedby the communication section 123 of the reader 120 to be delivered (stepS121).

<Features of Embodiment 6>

In the embodiment 6, tag output information G(s_(k, i)|w_(k)) deliveredfrom each tag device 610 represents a hash value of a bit combination ofthe confidential value s_(k, i) and the proper value w_(k) which isinherent to each tag device 610. The confidential value s_(k, i) of eachtag device is successively updated by the hash value H(s_(k, i)). If tagoutput information G(s_(k, i)|w_(k)) becomes identical between tagdevices (occurrence of a collision), because the proper value w_(k)differs between tag devices, this collision can be eliminated with ahigh probability due to the difficulty of a collision occurring betweenhash functions if the confidential value s_(k, i) of each tag device isupdated. In this manner, a collision between tag output informationG(s_(k, i)|w_(k)) between tag devices 610 can be prevented fromoccurring in a continued manner, thus preventing a failure of thebackend apparatus 630 to identify tag ID information uniquely from thetag output information G(s_(k, i)|w_(k)).

EMBODIMENT 7

An embodiment 7 is a modification of the embodiment 6, and differs fromthe embodiment 6 in that tag devices shares a confidential value incommon. A distinction over the embodiment 1 and embodiment 6 will beprincipally described below.

FIG. 13 is an illustration of an overall arrangement of an automatic tagidentification system 700 of the embodiment 7. It is to be noted that inthis Figure, parts which are common to the embodiment 1 are designatedby common characters as used in the embodiment 1. FIG. 14 is a flowchart for describing processing in the embodiment 7. A functionalarrangement and a processing method of the embodiment 7 will bedescribed below with reference to these Figures.

<Pre-Processing>

For each ID (id_(k) (k=1, . . . , m)) which corresponds to each tagdevice 710, a single random number s₁ε{0, 1}^(t) is generated, and isstored as a confidential value s₁ (which is an initial value of s_(i)and is equivalent to “first confidential value”) in the confidentialvalue memory 711 of each tag device 710. For each tag ID information(id_(k) (k=1, . . . , m)) which corresponds to each tag device 710, aproper value w_(k) which is inherent to each is generated, and is storedin the confidential value memory 711 of the respective tag device 710.

The confidential value s₁ which is the same as the confidential value s₁stored in each tag device 710 is stored in a database memory 731 of abackend apparatus 730 as “second confidential value”. Each proper valuew_(n) is also stored the database memory 731 in a manner relating it totag ID information id_(n) and data_(n) such as products distributioninformation or the like of the corresponding tag device 710.

In addition, a hash value s_(j+2)=H^(j+1)(s₁) (j=0, . . . , j_(max)) ofthe confidential value s₁ which is common to each tag device 710 iscalculated by a hash calculator 736 of the backend apparatus 730. Eachcalculated hash value s_(j+2) is stored in the database memory 731.

<Processing by Tag Device>

In the following, a processing which takes place during an i-th run whenthe tag device is read by a reader 720 will be described.

Initially, a hash calculator 712 extracts a confidential value s_(i) anda proper value w_(k) from the confidential value memory 711 (step S131),and calculates a tag output information G(s_(i)|w_(k)) which is a hashvalue of a bit combination of the confidential value s_(i) and theproper value w_(k) (step S132). The interface 114 transmits this tagoutput information G(s_(i)|w_(k)) to the reader 120 (step S133).

A hash calculator 113 then calculates a hash value H(s_(i)) of theconfidential value s_(i) which is extracted from the confidential valuememory 711 (step S134) and the confidential value s_(i) in theconfidential value memory 711 is overwritten by the hash value H(s_(i))as a new confidential value s_(i+1) (step S135).

<Processing by Reader>

This remains to be similar to the embodiment 1 (steps S136˜S138).

<Processing by Backend Apparatus>

The backend apparatus 730 receives the products distribution informationpd and tag output information G(s_(i)|w_(k)) transmitted from the reader120 at its communication section 132 (step S139). The received productsdistribution information pd and tag output information G(s_(i)|w_(k))are stored in the memory 136 a.

Then the controller 136 enters 0 for parameters j and n and store themin the memory 136 a (step S140).

In a hash calculator 733 (equivalent to “third calculator”), a hashvalue G(s_(j+1)|w_(n)) is calculated using the proper value w_(n) andthe confidential value s_(i) which are extracted from the databasememory 731 or the hash value S_(j+2) (which is calculated beforehand bythe hash calculator 736) (step S141).

Then, a comparator 134 acquires the hash value G(s_(j+1)|w_(n))(equivalent to “result of calculation in the third calculator”) from thehash calculator 733 and acquires the tag output informationG(s_(i)|w_(k)) from the memory 136 a, and compare them against eachother (step S142).

In the event these values do not match (step S143), the controller 136enters j+1 for j in the memory 136 a (step S144), and determines whetheror not j has exceeded a given maximum value j_(max) (step S145). If j isequal to or less than the maximum value j_(max), it returns to theprocessing at step S141, but if j has exceeded the maximum valuej_(max), the controller substitutes n+1 for n and 0 for j in the memory136 a (step 146) and determines whether or not n has exceeded a givenmaximum value n_(max) (step S147). If n is equal to or less than themaximum value n_(max), it returns to the processing at step S141, but ifn has exceeded the maximum value n_(max), an error termination results(step S148).

If the determination at step S143 reveals that the tag outputinformation G(s_(i)|w_(k)) and the hash value G(s_(j+1)|w_(n)) match,the read/write section 135 extracts id_(n) and data_(n) which arerelated to the proper value w_(n) which corresponds to the matched hashvalue G(s_(j+1)|w_(n)) from a database memory 731 and sends them to thecommunication section 132 under the control of the controller 136. Theread/write section 135 also receives products distribution informationpd from the communication section 132, and writes the productsdistribution information pd into the database memory 731 in a mannerrelating it to the proper value w_(n) which corresponds to the matchinghash value G(s_(j+1)|w_(n)) (step S149).

id_(n) and data_(n) which are sent to the communication section 132 aretransmitted to the 120 through the network 140 (step S150), and arereceived by the communication section 123 of the reader 120 to bedelivered (step S151).

<Features of Embodiment 7>

In the embodiment 7, the confidential value s₁ which is common to eachtag device 710 is used. Accordingly, the confidential value s_(j+1)which is used in the processing at step S141 by the backend apparatus730 can be used in common to each tag ID information id_(n), whereby theamount of calculations in the backend apparatus 730 can be drasticallyreduced, permitting an efficient retrieval.

Specifically, denoting the number of the tag devices 710 by m and thenumber of hashing operations in the backend apparatus 730 (the number oftimes the confidential value is updated for the tag device 710) by j,the embodiment 1 required a number of hash operations which is equal to2 mj. By contrast, in the embodiment 7, the number of hash operationscan be suppressed to mj+j.

In addition, the tag device 710 delivers the number of times rn theconfidential value s₁ is updated together with the tag outputinformation G(s_(i)|w_(k)), and if the number of the times it is updatedrn is fed to the backend apparatus 730 (see the embodiment 4), thenumber of hash operations in the backend apparatus 730 can be reduceddown to m+j.

EMBODIMENT 8

An embodiment 8 is a modification of the embodiment 1, and differs fromthe embodiment 1 in that a combination of a plurality of elements isallotted as a value which is inherent to each tag device. In thismanner, part of elements which are allotted to each tag device can beshared by a plurality of tag devices, with consequence that a totalamount of calculations which are required to recognize a tag device canbe reduced.

FIG. 15 is an illustration of an overall arrangement of an automatic tagidentification system 800 of the embodiment 8. In this Figure, partswhich are common to the embodiment 1 are designated by like numerals asused in the embodiment 1. FIG. 16 A shows an example of data which arestored in a confidential value memory 811 of a tag device 810, and FIG.16 B shows examples of data which are stored in a database memory 831 ofa backend apparatus 830. In addition FIG. 17 and FIG. 18 are flow chartsfor describing processings in the embodiment 8.

A functional arrangement and a processing method of the embodiment 8will be described below with reference to these Figures. It is to benoted that what is common to the embodiment 1 will be omitted fromdescription.

<Pre-Processing>

By way of example, using a random number generator (not shown) or thelike, a set of initial values of elements which are allotted torespective tag devices (b_(1, 1, 0, . . . ,) b_(1, j, 0, . . . ,)b_(1, ρ, 0)) . . . (b_(u, l, 0, . . . ,) b_(u, j, 0, . . . ,)b_(u, ρ, 0)) . . . (b_(d, 1, 0, . . . ,) b_(d, j, 0, . . . ,)b_(d, ρ, 0)) are generated. A set of elements within each “( )” will bereferred to as a sub-group α_(u)(uε{1, . . . , d}).

Here, j is a natural number (jε{1, . . . , p}) which satisfies 1≦j≦p,and u is a natural number (uε{1, . . . , d}) which satisfies 1≦u≦d. Inthe embodiment 8, a combination of a plurality of elements defines oneconfidential value, and d(d≧2) represents a number of elements whichconstitute one confidential value. m is a number equal to or greaterthan a total number of tag devices 810 (a total number of requiredconfidential values) and which satisfies a requirement that m=ρ^(d) is anatural number.

Combinations of elements thus generated are allotted to respective tagdevices 810. Specifically, one element is selected from each of d kindsof sub-groups α_(u) which constitutes together the set of initial valuesof above mentioned elements, and selected d combinations of initialelements f_(u, 0) (f_(1, 0, . . . ,) f_(u, 0, . . . ,) f_(d, 0)) areallotted to respective tag devices 810 (f_(1, 0), . . . , ε{b_(1, 1, 0),. . . , b_(1, q, 0), . . . , b_(1, ρ, 0)}, . . . ,f_(u, 0)ε{b_(u, 1, 0), . . . , b_(u, q, 0), b_(u, ρ, 0)}, . . . ,f_(d, 0)ε{b_(d, 1, 0), . . . , b_(d, q, 0), . . . , b_(d, ρ, 0)}) . Itis to be noted that this allotment is made so that a same combinationdoes not occur for different tag devices 810, and a total of m kinds (atotal number of tag devices 810) of combinations (f_(1, 0, . . . ,)f_(u, 0, . . . ,) f_(d, 0)) are allotted. Alternatively, a plurality ofcombinations of initial elements f_(u, 0) may be related to a single tagdevice 810, and in this instance, a total of m kinds or more (a totalnumber of tag devices 810 or more) combinations of (f_(1, 0, . . . ,)f_(u, 0, . . . ,) f_(d, 0)) are allotted. At least part of elementswhich constitute each (f_(1, 0, . . . ,) f_(u, 0, . . . ,) f_(d, 0)) isshared by a plurality of tag devices 810.

All the combinations (f_(1, 0, . . . ,) f_(u, 0, . . . ,) f_(d, 0))which are generated (combinations of d(d≧2) initial elementsf_(u, 0)(uε{1, . . . , d}) are related to tag ID information id_(n) ofeach allotted tag device 810 and data data_(n) corresponding to each tagdevice 810, and are stored in a database memory 831 of the backendapparatus 830. It is to be noted that n assumes a value whichcorresponds to each tag device, and corresponds to a suffix k of tagoutput information a_(k, i) (to be described later) which is deliveredfrom each tag device. In other words, the number of combinations of dinitial elements f_(u, 0) which are stored in the database memory 831 isequal to the total number of tag devices 810. Where a plurality ofcombinations of initial elements f_(u, 0) are related to a single tagdevice 810, the number of combinations of d initial elements f_(u, 0)which are stored in the database memory 831 will be equal to or greaterthan the total number of tag devices 810.

Combinations of generated initial elements (f_(1, 0, . . . ,)f_(u, 0, . . . ,) f_(d, 0)) (equivalent to “combinations each comprisingd(d≧2) elements e_(u, vu) (uε{1, . . . , d}) and corresponding torespective tag ID information id_(k)” where vu represents an integerequal to or greater than 0 and indicating the number of times theelement e_(u, vu) is updated and the suffix vu of the element e_(u, vu)represents v_(u)) are stored in the confidential value memory 811 ofrespective allotted tag devices 810. In the description to follow, acombination of initial elements which is stored in the confidentialvalue memory 811 of each tag device 810 is indicated by(e_(1, 0, . . . , eu, 0, . . . , ed, 0)).

In the example of FIG. 16, an allotment of initial elements for d=2,ρ=3, m=9 is shown.

As shown in FIG. 16 B, for this example, combinations 831 aa of initialelements ((f_(1, 0), f_(2, 0)) (f_(1, 0)ε{b_(1, 1, 0), b_(1, 2, 0),b_(1, 3, 0)}, f_(2, 0)ε{b_(2, 1, 0), b_(2, 2, 0), b_(2, 3, 0)}), tag IDinformation 831 ab (id_(n) (nε{1, . . . , 9}) and data 831 ac (data_(n)(nε{1, . . . , 9}) are stored in the database memory 831 of the backendapparatus 830 in a manner relating to each other.

As shown in FIG. 16 A, one set of combinations of initial elements 811 a((e_(1, 0, e2, 0))=(b_(1, 2, 0, b2, 2, 0))) which corresponds to the tagID information id is stored in the confidential value memory 811 of thetag device 810. It is to be noted that part of the element e_(u, vu)which is stored in the confidential value memory 811 is also stored inthe confidential value memory of another tag device as a correspondingelement in another tag device.

<Processing by Tag Device>

A processing which takes place when the tag device 810 is read by thereader 20 during an i-th run (i is a natural number) will be describedbelow.

Initially, in a hash calculator 812 (equivalent to “second calculator”),d elements e_(u, vu) are extracted from the confidential value memory811 (step S161), and a hash function G is applied to a combined value ofthese bit trains (confidential value s_(k, i)) to calculate the tagoutput information a_(k, i)=G(s_(k, i)) (step S162) where k represents avalue corresponding to each tag device and i is a natural numberindicating a number of times delivered from the output section. It is tobe noted that in the present embodiment, the confidential values_(k, i)=e_(1, v1)| . . . |e_(u, vu)| . . . |e_(d, vd) and the tagoutput information a_(k, i)=G(e_(1, v1)| . . . |e_(u, vu)| . . .|e_(d, vd)) are used, but the sequence in which bits of the respectiveelements e_(u, vu) are disposed are not limited thereto.

The generated tag output information a_(k, i) is sent to an interface114, which delivers the tag output information a_(k, i) (step S163).

Subsequently, a hash calculator 813 (equivalent to “first calculator”)extracts elements e_(u′, vu′) (u′ε{1, . . . , d}), which are at leastpart thereof, from the confidential value memory 811, calculates a hashvalue H(e_(u′, vu′)) of the extracted elements e_(u′, vu′) (step S164)and saves by overwriting the hash value H(e_(u′, vu′)) as a new elemente_(u′, vu′+1) in the confidential value memory 811 (step S165). It is tobe understood that a method of selecting u′ε{1, . . . , d} may be anydesired one. By way of example, a method of selecting a different u′each time the tag device 810 performs a communication, a method in whicha separate u′ is selected at the time every element e_(u′, vu′) has beenupdated for one u′, a method of selecting two or more u′ concurrentlycan be cited.

<Processing by Reader>

The reader 120 receives a tag output information a_(k, i) transmittedfrom the tag device 810 at its interface 122 (step S166), and sends itto the communication section 123. The communication section 123 extractsproducts distribution information pd from products distributioninformation memory 121 (step S167) and transmits the productsdistribution information pd and the tag output information a_(k, i) tothe backend apparatus 830 through the network 140 (step S168).

<Processing by Backend Apparatus>

The tag output information a_(k, i) and the products distributioninformation pd which are transmitted from the reader 120 are received bythe communication section 132, and are stored in the memory 136 a (stepS169).

This triggers the controller 136 to substitute 1 for n and to store itin the memory 136 a (step S170), to select a combination of d w_(u) inthe manner indicated below and to store the combination in the memory136 a (step S171). (w₁, . . . , w_(d))εS_(W)={w₁, . . . ,w_(d)|w_(u)ε[0, j_(max)]} (where [α, β] represents a set of integersequal to or greater than α and equal to or less than β.)

Then the controller 136 verifies, while referring to n and thecombination of d w_(u) in the memory 136 a and also referring to a hashvalue memory 838, whether or not a hash value H^(wu)(f_(u, 0)) which isa result of applying w_(u) times the hash function H to d initialelements f_(u, 0) (uε{1, . . . , d}) corresponding to the tag IDinformation id_(n) is stored (is already generated) in the hash valuememory 838 (step S172). It is to be noted that super-index w_(u) inH^(wu)(f_(u, 0)) represents w_(u).

In the event it is determined that there remain some of hash valuesH_(wu)(f_(u, 0)) corresponding to the tag ID information id_(n) whichhave not yet been calculated, a hash calculator 837 extracts initialelements f_(u, 0) corresponding to those of “the hash valuesH^(wu)(f_(u, 0)) corresponding to the tag ID information id_(n) whichhave not yet been calculated” from the database memory 831, appliesw_(u) times the hash function H to these initial elements f_(u, 0) tocalculate the hash value H^(wu)(f_(u, 0)) (step S173). The calculatedhash value H^(wu)(f_(u, 0)) is stored in the hash value memory 838 (stepS174), then returning to the processing at step S172.

On the other hand, if it is determined at step S172 that all of hashvalues H^(wu)(f_(u, 0)) corresponding to the tag ID information id_(n)have been generated, the controller 136 causes, while referring to n andcombinations of d w_(u) in the memory 136 a, a hash calculator 833(equivalent to “third calculator”) to extract the hash valuesH^(wu)(f_(u, 0)) which are obtained by applying w_(u) times the firstfunction F1 to d initial elements f_(u, 0) (uε{1, . . . , d})corresponding to the tag ID information id_(n) from the hash valuememory 838 (step S175) and to calculate a value c which is obtained byapplying the hash value G to a bit combination value of these hashvalues H^(wu)(f_(u, 0)) (step 176). The calculated value c may beillustrated by c=G(H_(w1)(f_(1, 0))| . . . |H^(wu)(f_(u, 0))| . . . |H^(wd) (f_(d, 0))), for example, but the bit disposition sequence ofeach hash value H^(wu)(f_(u, 0)) is not limited thereto. However, thesequence should correspond to the bit disposition sequence of eachelement e_(u, vu) in the hash calculator 812 of the tag device 810.

Then, the comparator 134 reads the tag output information a_(k, i) fromthe memory 136 a, receives the calculated value c from the hashcalculator 833 and compare them to determine if c=a_(k, i) (step S177).In this example, the hash value c=G(H^(w1)(f_(1, 0))| . . .|H^(wu)(f_(u, 0))| . . . |H^(wd)(f_(d, 0))) and the tag outputinformation a_(k, i) are compared against each other.

In the event it is determined that these do not match, the controller136 determines whether or not all of d combination patterns (w₁, . . . ,w_(d))εS_(w) have been selected while referring to the memory 136 a(step S178). If it is determined that there exists a combination patternwhich has not yet been selected, the controller 136 selects a newcombination (w₁, . . . , w_(d))εS_(w), stores it in the memory 136 a(step S179) and causes the processings at step S172 and subsequent stepsto be executed for this new combination and n.

On the other hand, if it is determined at step S178 that all ofcombination patterns have been selected, the controller 136 determineswhether or not n=m while referring to n in the memory 136 a (step S180).If it is determined that n=m does not apply, the controller 136 updatesn in the memory 136 a by n+1 (step S181) and causes processings at stepS172 and subsequent steps to be executed. On the other hand, if it isdetermined that n=m, an error termination of the processing results(step S182).

It is to be noted that the processings which take place at stepsS172˜181 are equivalent to re-executing the processings in the hashcalculator 833 and the comparator 134 by changing the value of at leastpart of n and w_(u) under the control of the controller 136 when the tagoutput information a_(k, i) and the calculated value c do not match.

On the other hand, if it is determined at step S177 that the hash valuec and the tag output information a_(k, i) match, the read/write section135 selects tag ID information id_(n) which is related to thecombination of a plurality of initial elements f_(u, 0) corresponding tothe hash value c from the database memory 831 under the control of thecontroller 135, extracts the tag ID information id_(n) and itscorresponding data data_(n) and sends them to the communication section132. The read/write section 135 receives the products distributioninformation pd from the memory 136 a, and writes this productsdistribution information pd as data data_(n) corresponding to the tag IDinformation id_(n) into the database memory 831 as an addition (stepS183).

The tag ID information id_(n) and data data_(n) which are sent to thecommunication section 132 are transmitted to the reader 120 through thenetwork 140 (step S184), and are received by the communication section123 of the reader 120 to be delivered (step S185).

<Features of Embodiment 8>

[Efficiency]

To calculate the hash value c in the hash calculators 838 of the backendapparatus 830, it is necessary to calculate a hash valueH^(wu)(f_(u, 0))=f_(u, vu). In the embodiment 8, each element e_(u, vu)can be used in common by a plurality of tag devices 810, andaccordingly, if the hash value H^(wu)(f_(u, 0))=f_(u, vu) which iscalculated to calculate the hash value c corresponding to either one ofthe tag devices 810 is stored in the hash value memory 838, this elementf_(u, vu) can also be utilized in the calculation of hash values ccorresponding to other tag devices 810. In this manner, the number oftag devices 810 which can be accommodated can be increased withoutincreasing the number of hash values H^(wu)(f_(u, 0)) which must becalculated. Specifically, initial elements which are inherent to tagdevices which are equal in number to ρ^(d) can be allotted by using d*ρelements.

Because communication data is constructed by the calculation of hashfunctions alone, the scale of a circuit which is incorporated into thetag device 810 is small in comparison to a conventional method whichgenerates random numbers, and this embodiment lends itself to anapplication which demands a low cost.

[Impossibility of Tracing]

In the embodiment 8, tag output information a_(k, i)=G(s_(k, i)) is usedin the communication. Because of the incapability to identify a hashvalue, this tag output information a_(k, i)=G(s_(k, i)) appears to be amere random number to an attacker who does not know a confidentialvalue. Accordingly, the attacker cannot know whether or not the tagoutput information a_(k, i)=G(s_(k, i)) and a_(k, i+1)=G(s_(k, i+1))have been delivered from the same tag device 810, and therefore cannottrace the distribution process of the tag device 810.

[Forward Security]

In the embodiment 8, an arrangement is used that the confidential valuein the confidential value 811 which is used in the communication isupdated by the hash function H. In addition, if the tag device 810 istampered with to leak each element e_(u, vu), the attacker cannotdetermine a past element e_(u, vu—Δvu) from the element e_(u, vu) due tothe one-way nature of the hash function. Accordingly, if each elemente_(u, vu) were leaked, the attacker cannot find a correspondence betweeneach element e_(u, vu) acquired and the history of communications, andhence cannot trace the tag device 810.

[Traceability]

On the other hand, on account of the difficulty of a collision betweenthe hash functions G and H (the property that hash values of differentvalues can hardly assume a same value), the backend apparatus 830 whichknows each element e_(u, vu) is capable of tracing the distributionprocess of the tag device.

In the embodiment 8, the set of initial elements which are generated bythe backend apparatus 830 is chosen to be as follows:(b_(1, 1, 0, . . . ,) b_(1, j, 0, . . . ,) b_(1, ρ, 0)) . . .(b_(u, 1, 0, . . . ,) b_(u, j, 0, . . . ,) b_(u, ρ, 0)) . . .(b_(d, 1, 0, . . . ,) b_(d, j, 0, . . . ,) b_(d, ρ, 0)) Thus, ρ initialelements b are generated for each u (uε{1, . . . , d}). However, thenumber of initial elements which are generated for each u (uε{1, . . . ,d}) may be different.

The hash value H^(wu)(f_(u, 0)) (uε{1, . . . , d}) which is required inthe processing at step S176 may be determined by the hash calculator 837of the backend apparatus 830 at the pre-processing step, and stored inthe hash value memory 838.

EMBODIMENT 9

An embodiment 9 is a modification of the embodiment 8, and differs fromthe embodiment 8 in that a proper value which is inherent to each tagdevice is additionally stored in the confidential value memory of thetag device and the database memory of the backend apparatus, and a hashvalue a_(k, i)=G(s_(k, i)) of a combination of bit trains including eachelement e_(u, vu) and a proper value γ_(k) is used as tag outputinformation. This allows a situation that a confidential value of aparticular tag device be determined on the basis of elements e_(u, vu)which are collected by tampering with other tag devices to trace the tagdevice to be prevented from occurring.

Only a distinction over the embodiment 8 will be described below whileomitting a description for what are common with the embodiment 8.

FIG. 19 is an illustration of an overall arrangement of an automatic tagidentification system 900 of the embodiment 9. FIG. 20 A illustratesexamples of data which are stored in a confidential value memory 911 ofa tag device 910, and FIG. 20 B shows examples of data which are storedin a database memory 931 of a backend apparatus 930. It is to be notedthat in FIG. 19, a functional arrangement which is common with theembodiment 1 is denoted by like characters as used in FIG. 2, and afunctional arrangement which is common with the embodiment 8 is denotedby like characters as used in FIG. 15 without giving a descriptionthereof. It is to be noted that while FIG. 19 shows only one tag device910, there are a plurality of tag device 910 in actuality.

A functional arrangement and a processing method of the embodiment 9will be described below with reference to these Figures.

<Pre-Processing>

Differences over the embodiment 8 reside in that a proper value γ_(k) isadditionally stored in the confidential value memory 911 of the tagdevice 910 and that a combination of d (d≧2) initial elements f_(u, 0)(uε{1, . . . , d}), a proper value γ_(k) which is inherent to each tagdevice, and tag ID information id_(n) of each tag device (n assuming avalue which corresponds to each tag device) are stored in the databasememory 931 of the backend apparatus 930 in a manner relating these toeach other. It is to be noted that proper values γ_(k) and γ_(n) arerandom values, for example.

In the example shown in FIG. 20, an allotment of combined proper valuesfor d=2, ρ=3, m=9 is shown.

As shown in FIG. 20 B, in this example, a combination 931 aa of initialelements ((f_(1, 0), f_(2, 0)) (f_(1, 0)ε{b_(1, 1, 0), b_(1, 2, 0),b_(1, 3, 0)}, f_(2, 0)ε{b_(2, 1, 0), b_(2, 2, 0), b_(2, 3, 0)})), thetag ID information 931 ab (id_(n) (nε{1, . . . , 9}), data 931 ac(data_(n)(nε{1, . . . , 9}), and a proper value 931 ad which is inherentto each tag device (γ_(k), kε{1, . . . , 12}) are stored in the databasememory 931 of the backend apparatus 930 in a manner relating these toeach other. As shown in FIG. 20 A, a combination 911 a of initialelements ((e_(1, 0), e_(2, 0))=(b_(1, 2, 0), b_(2, 2, 0))) and a propervalue 911 b (γ_(k)=γ₅) are stored in the confidential value memory 911of the tag device 910.

<Processing by Tag Device>

A processing which occurs when the tag device 910 is read by the reader120 during an i-th run (i being a natural number) will be describedbelow.

Initially, a hash calculator 912 (equivalent to “second calculator”)extracts each element e_(u, vu) and a proper value γ_(k) from theconfidential value memory 911, and calculates the tag output informationa_(k, i)=G(s_(k, i)) which is a hash value of a combination value(confidential value s_(k, i)) of bit trains including the extractedelements e_(u, vu) and the proper value γ_(k). In the embodiment 9, aconfidential value and tag output information are chosen to bes_(k, i)=γ_(k)|e_(1, v1)| . . . |e_(u, vu)| . . . |e_(d, vd) anda_(k, i)=G(γ_(k)|e_(1, v1)| . . . |e_(u, vu)| . . . |e_(d, vd))

Subsequently, the tag output information a_(k, i) is delivered and theelements in the confidential value memory 911 are updated in the similaras in the embodiment 8.

<Processing by Reader>

This remains to be similar to the embodiment 8.

<Processing by Backend Apparatus>

A distinction over the embodiment 8 resides in that in place of theprocessing at step S176 in the embodiment 8 (FIG. 18), a hash calculator933 (equivalent to “third calculator”) reads a proper value γ_(n) fromthe database memory 931 and calculates a hash value c of a combinationvalue of bit trains including the hash value H^(wu)(f_(u, 0)) and theproper value γ_(n). In this example, a hash valuec=G(γ_(n)|H^(w1)(f_(1, 0))| . . . |H^(wu)(f_(u, 0))| . . .|H^(wd)(f_(d, 0))) is calculated. In other respects, the processing issimilar to the embodiment 8.

<Features of Embodiment 9>

[Impossibility of Tracing]

In the embodiment 9, the tag output information a_(k, i)=G(s_(k, i))which is a hash value of a combination of bit trains including elementse_(u, vu) and the proper value γ_(k) is delivered from the tag device910. The proper value γ_(k) is a value which is inherent to each tagdevice 910. Accordingly, if a certain tag device is tampered with, it isimpossible to determine the past tag output information of a differenttag device which shares the element e_(u, vu) from the hash value ofdata which are stored in the first mentioned tag device. Accordingly, anattacker cannot trace the different tag device.

EMBODIMENT 10

An embodiment 10 is a modification of the embodiment 8, and differs fromthe embodiment 8 in that t kinds (t≧2) of manifold values z are storedin a manifold value memory of a tag device, and a hash valuea_(k, i)=G(s_(k, i)) of a bit combination value (confidential values_(k, i)) of each element e_(u, vu) extracted from a confidential valuememory and either one of the manifold values z is used as tag outputinformation, with the confidential value memory being updated once forcommunication which counts t times.

Only a distinction over the embodiment 8 will be described below whileomitting a description for what is common with the embodiment 8.

FIG. 21 is an illustration of an overall arrangement of an automatic tagidentification system 1000 of the embodiment 10. FIG. 22 is a flow chartfor describing processing in a tag device 1010, and FIG. 23 is a flowchart for describing processing in a backend apparatus 1030. It is to benoted that in FIG. 21, functional arrangements which are common to theembodiment 1 and the embodiment 8 are designated by like characters asused in FIGS. 2 and 15. It is also to be noted that while FIG. 21 showsonly one tag device 1010, there exist a plurality of tag devices 1010 inactuality.

A functional arrangement and a processing method of the presentembodiment will be described below with reference to these Figures.

<Pro-Processing>

Differences over the embodiment 8 reside in that t kinds (t≧2) ofmanifold values z are generated in a manifold value generator 1015 ofthe tag device 1010 and are stored in a manifold value memory 1016(equivalent to “first manifold value memory”) and that t kinds (t≧2) ofmanifold values z which are shared by respective tag devices 1010 arestored in a database memory 1031 (equivalent to “second manifold valuememory”) of the backend apparatus 1030.

A manifold value generator 1015 can be illustrated by a counter whichcounts z=1 . . . t, a hash calculator which performs a calculationz=H(seed, x), xε{1, . . . , t}, a hash calculator which performs acalculation z=H^(x)(seed), xε{1, . . . , t} or the like. Here, seedrepresents an initial value. In a description to follow, a manifoldvalue z will be represented as z=π(x) and count xε{1, . . . , t}.Preferably manifold values z=π(x) which correspond to respective valuesof xε{1, . . . , t} do not coincide.

It is to be noted that the generation and storage of the manifold valuez need not be performed during the pre-processing, but may be performedwhen processing a communication with the tag device 1010 or whenprocessing a retrieval by the backend apparatus 1030.

<Processing by Tag Device>

A processing which occurs when the tag device 1010 is read by the reader120 during an i-th run (i being a natural number) will be describesbelow. It is to be noted that the initial value (i=1) of the count x is1, and the count x is saved in a memory 115 a under the control of acontroller 115.

Initially, a hash calculator 1012 (equivalent to “second calculator”)extracts each element e_(u, vu) from a confidential value memory 1011and extracts either one of manifold values z (which is z=π(x) in thisexample) from a manifold value memory 1016 (step S191). The hashcalculator 1012 calculates a hash function a_(k, i)=G(s_(k, i)) of a bitcombination value (confidential value s_(k, i)) of each extractedelement e_(u, vu) and manifold value z as tag output information (stepS192). In this example, a confidential value is chosen to bes_(k, i)=e_(1, v1)| . . . |e_(u, vu)| . . . |e_(d, vd)|z, and tag outputinformation is chosen to be a_(k, i)=G(e_(1, v1)| . . . |e_(u, vu) | . .. |e_(d, vd)|z). It is to be noted the bit disposition sequence of eachelement e_(u, vu) and the manifold value z and the number of manifoldvalues z for bit combinations are not limited to this. Since it ispresumed that manifold values z=π(x) corresponding to xε{1, . . . , t}do not coincide, it follows that as long as elements in the confidentialvalue 1011 are not updated, the manifold value z which is used by thehash calculator 1012 in generating tag output information a_(k, i)varies from communication to communication.

The generated tag output information a_(k, i) is sent to an interface114, which delivers the tag output information a_(k, i) (step S193).

Subsequently, a controller 115 performs an arithmetic operation x←x+1(count up) (step S194), and determines whether or not x>t (step S195).If it is determined that x>t does not apply, the processing in the tagdevice 1010 is terminated while maintaining the value x in the memory115 a.

On the other hand, if it is determined that x>t, the controller 115changes the count x in the memory 115 a to x←1 (step S1196), and a hashcalculator 1013 extracts at least part of elements e_(u′, vu′) (u′ε{1, .. . , d}) from the confidential value memory 1011 and calculates a hashvalue H(e_(u′, vu′)) of extracted element e_(u′, vu′) (step S197). Thehash calculator 1013 overwrites this hash value H(e_(u′, vu′)) into theconfidential value memory 1011 as a new element e_(u′, vu′+1) (stepS198). Any technique of selecting u′ε{1, . . . , d} may be used.

<Processing by Reader>

This remains to be similar to the embodiment 8.

<Processing by Backend Apparatus>

The tag output information a_(k, i) and products distributioninformation pd which are transmitted from the reader 120 are received bya communication section 132 and stored in a memory 136 a (step S201).

This triggers the controller 136 to substitute 1 for n to be stored inthe memory 136 a (step S202), to select a combination d w_(u)'s in themanner indicated below, and to store the combination in the memory 136 a(step S203).(w ₁ , . . . , w _(d))εS _(w) ={w ₁ , . . . , w _(d) |w _(u)ε[0, j_(max)]}

The controller 136 then refers to n and the combination of d w_(u)'s inthe memory 136 a and also refers to the hash value memory 838 to verifywhether or not hash values H^(wu)(f_(u, 0)) which are results ofapplying w_(u) times the hash function H to d initial elementsf_(u, 0)(uε{1, . . . , d}) corresponding to tag ID information id_(n)are stored in the hash value memory 838 (whether or not they have beengenerated) (step S204). It is to be noted that the super-index wu inH^(wu)(f_(u, 0)) represents w_(u).

If it is determined that there exist some of the hash valuesH^(wu)(f_(u, 0)) corresponding to the tag ID information id_(n) whichhave not yet been calculated, a hash calculator 837 extracts initialelements f_(u, 0) corresponding to “some of the hash valuesH^(wu)(f_(u, 0)) corresponding to tag ID information id_(n) which havenot yet been calculated” from the database memory 1031, and calculatesthe values H^(wu)(f_(u, 0)) by applying w_(u) times the hash function Hto these initial elements f_(u, 0) (step S205). The calculated hashvalues H^(wu)(f_(u, 0)) are stored in the hash value memory 838 (stepS206), then returning to the processing at the step S204.

On the other hand, if it is determined at the step S204 that all of hashvalues H^(wu)(f_(u, 0)) corresponding the tag ID information id_(n) havebeen generated, the controller 136 causes, while referring to n and thecombination of d w_(u)'s in the memory 136 a, a hash calculator 1033(equivalent to “third calculator”) to extract a hash valueH^(wu)(f_(u, 0)) which is a result of applying w_(u) times the firstfunction F1 to each of d initial elements f_(u, 0) (uε{1, . . . , d})corresponding to the tag ID information id_(n) (step S207). Thecontroller 136 sets up a count x′ of 1 and stores it in the memory 136 a(step S208) and extracts a manifold value z=π(x′) from the databasememory 1031 to be fed to the hash calculator 1033. The hash calculator1033 then calculates a calculated value c by applying the hash value Gto a bit combination value of the hash value H^(wu)(f_(u,) 0) and themanifold value z (step S209). The calculated value c can be illustratedas c=G(H^(w1)(f_(1, 0))| . . . |H^(wu)(f_(u, 0))| . . .|H^(wd)(f_(d, 0))|z), for example, but the bit disposition sequence ofeach hash values H^(wu)(f_(u, 0)) and the manifold value z and thenumber of the manifold value z which are used in the bit combination arenot limited to this. However, there is a requirement that the sequencethereof or the like should be related to the bit disposition sequence ofelements in the hash calculator 1012 of the tag device 1010.

The comparator 134 then reads tag output information a_(k, i) from thememory 136 a, receives the calculated value c from the hash calculator1033, and compare them to determine whether or not c=a_(k, i) (stepS210). In this example, the hash value c=G(H^(w1)(f_(1, 0))| . . .|H^(wu)(f_(u, 0)) . . . |H^(wd)(f_(d, 0))|z) and the tag outputinformation a_(k, i) are compared against each other.

In the event it is determined that these do not match, the controller136 determines whether or not x′ in the memory 136 a is t (step S211).If it is determined that x′=t does not apply, the controller 136 updatesx′ in the memory 136 a by x′+1 and then causes the processings at stepS209 and subsequent steps to be executed (step S212). On the other hand,if it is determined that x′=t, the controller 136 determines, byreferring to the memory 136 a, whether or not all of d combinationpatterns (w₁, . . . , w_(d))εS_(w) are already selected (step S213).

If it is determined that there exist some combination patterns which arenot yet selected, the controller 136 selects a new combination (w₁, . .. , w_(d))εS_(w), stores it in the memory 136 a (step S214) and causesthe processings at and subsequent to step S204 to be executed for thisnew combination and n. On the other hand, if it is determined at stepS213 that all of combination patterns have been selected, the controller136 determines whether or not n=m by referring to n in the memory 136 a(step S215). If it is determined that n=m does not apply, the controller136 updates n in the memory 136 a by n+1 (step S216), and causes theprocessings at and subsequent to step S204 to be executed. However, ifit is determined that n=m, an error termination of the processingresults (step S217).

It is to be noted that the processings which take place at stepsS204˜216 are equivalent to re-executing the processings in the hashcalculator 1033 and the comparator 134 by changing the value of at leastpart of n, w_(u), and z under the control of the controller 136 when thetag output information a_(k, i) and the calculated value c do not match.

On the other hand, if it is determined at step S210 that the hash valuec matches the tag output information a_(k, i), the read/write section135 selects tag ID information id_(n) which is related to thecombination of a plurality of initial elements f_(u, 0) corresponding tothe hash value c from the database memory 1031, extracts this tag IDinformation id_(n) and its corresponding data data_(n) and sends them tothe communication section 132 under the control of the controller 135.In addition, the read/write section 135 receives products distributioninformation pd from the memory 136 a, and writes this productsdistribution information pd as data data_(n) which corresponds to thetag ID information id_(n) into the database memory 1031 as an addition(step S218). The tag ID information id_(n) and data data_(n) which aresent to the communication section 132 are transmitted to the reader 120through the network 140 (step S219).

<Features of Embodiment 10>

<Impossibility of Tracing>

In the tag device 1010 in the present embodiment, a hash value of a bitcombination value of elements e_(u, vu) and the manifold values z isused as tag output information a_(k, i). Accordingly, the output valuecan be changed by changing the manifold value z without updating theelements e_(u, vu). On account of one-way nature of the hash function, acorrelation with the output value which is changed in this manner cannotbe obtained. In addition, because the manifold value z assumes t kindsof values, it is possible for the tag device to perform t times atmaximum of communication which it is difficult to trace without updatingelements e_(u, vu).

[Efficiency]

In the tag device 1010 of the present embodiment, elements e_(u, vu) inthe confidential value memory 11 are updated only once for t times ofcommunications. Accordingly, the amount of the calculations required forupdating processing in the tag device 1010 can be reduced by a factor of1/t.

Also, a comparison between the hash value c and the tag outputinformation a_(k, i) which takes place in the backend apparatus 1030 cantake place T times at maximum without changing a combination of hashvalues H^(wu)(f_(u, 0)). Accordingly, if a permissible number ofcommunications of the tag device 210 (a maximum value of accesses fromthe reader 120 to the tag device 1010) were increased, the hashprocessing in the backend apparatus 1030 does not increasesignificantly.

EMBODIMENT 11

An embodiment 11 is a modification of the embodiment 10, and differsfrom the embodiment 10 in that a manifold value z_(u) which assumest_(u) kinds (t_(u)≧2) of values is stored for each u (uε{1, . . . , d})in a manifold value memory of a tag device, and a tag output informationa_(k, i)=G(e_(1, v1)|z₁| . . . |e_(d, vd)|z_(d)) for a bit combinationvalue of each element e_(u, vu) extracted from a confidential valuememory and either one of manifold values z_(u) is used as an outputvalue. In addition, while each element e_(u, vu), in the confidentialvalue memory which corresponds to each u (uε{1, . . . , d}) is performedonce for commutations of t times, in the embodiment 11, the point intime of communication when element e_(u, vu) is updated is shifted, sothat either one of elements e_(u′, vu′) (u′ε(E {1, . . . , d}) in theconfidential value memory is updated each time the tag device deliversthe tag output information a_(k, i). This prevents the tag device frombeing traced if the tag device is tampered with at any point in time ofcommunication.

Only a distinction over the embodiment 1 and the embodiment 10 will bedescribed below while omitting a description for what is common with theembodiment 1 and the embodiment 10;

FIG. 24 is an illustration of an overall arrangement of an automatic tagidentification system 1100 of an embodiment 11. FIG. 25 is a flow chartfor describing processing by a tag device 1110, and FIG. 26 is a flowchart for describing part of processing by a backend apparatus 1130. Itis to be noted that in FIG. 24, functional arrangements which are commonto the embodiment 1 and 8 are designated by like characters as used inFIGS. 2 and 15. In addition, while only one tag device 1110 is shown inFIG. 24, in actuality, there are a plurality of tag devices 1110.

A functional arrangement and a processing method of the presentembodiment will be described below with reference to these Figures.

<Pre-Processing>

Differences with respect to the embodiment 10 reside in that a manifoldvalue generator 1115 of a tag device 1110 sets up a manifold value z_(u)which assumes t_(u) kinds (t≧2) of values for each u (uε{1, . . . , d})and it is stored in a manifold value memory 1116 (equivalent to “firstmanifold value memory”) and that a manifold value z_(u) which assumest_(u) kinds (t≧2) of values for each u (uε{1, . . . , d}) is stored inthe database memory 1131 (equivalent to “second manifold value memory”)of a backend apparatus 1130. It is to be noted that manifold valuesz_(u) which are stored in the database memory 1131 are same as manifoldvalues z_(u) which are stored in respective tag devices 1110.

The manifold value generator 1115 can be illustrated by a counter whichcounts z_(u)=1−t_(u) for each u (uε{1, . . . , d}), a hash calculatorwhich performs a calculation of z_(u)=H(seed, x_(u)), x_(u)ε{1, . . . ,t_(u)} or a hash calculator which performs a calculation ofz_(u)=H^(x)(seed), x_(u)ε{1, . . . , t_(u)}. In the description tofollow, manifold value z_(u) is expressed as z_(u)=π_(u)(x_(u)),x_(u)ε{1, . . . , t_(u)}. Preferably, π_(u) is set up such that for anequal value of u, manifold values z_(u)=π_(u)(x_(u)) corresponding tox_(u)ε{1, . . . , t_(u)} do not coincide.

In the embodiment 11, each x_(u) is expressed as x_(u)=i+ε_(u) (uε{1, .. . , d}) where i represents the number of times a communication is madeby the tag device 1110, and ε_(u) represents a constant representing anoffset from i of each x_(u) (an integer which satisfies0≦ε_(u)≦r_(max)), and where r_(max) represents a maximum number of timesan access is made from the reader 120 to the tag device 1110.

In addition, in the embodiment 11, ε_(u) and t_(u) are set up such thatat any point in time when a communication is made, x_(u)=t_(u) is alwayssatisfied by either one of x_(u). For example, t_(u) corresponding toeach u (uε{1, . . . , d}) always assumes an equal value while each ε_(u)is set up such that a set of ε_(u) (uε{1, . . . , d}) becomes auniversal set of natural numbers less than t_(u).

It is not necessary that the generation and the storage of manifoldvalues z_(u) be performed during the pre-processing, but may beperformed at the time a communication with the tag device 1110 isprocessed or at the time a retrieval by the backend apparatus 1130 isprocessed.

<Processing by Tag Device>

A processing which takes place when the tag device 1110 is read by thereader 120 during an i-th run (i being a natural number) will bedescribed below. It is to be noted that the count x_(u) (uε{1, . . . ,d}) has an initial value (at i=1) which is equal to 1+ε_(u), and eachcount x_(u) is saved in a memory 115 a under the control of thecontroller 115.

Initially, a hash calculator 1112 (equivalent to “second calculator”)extracts each element e_(u, vu) from a confidential value memory 1111and extracts either manifold value z_(u) (which is z_(u)=π_(u)(x_(u)) inthis example) from a manifold value memory 1116 (step S231). The hashcalculator 1112 calculates tag output informationa_(k, i)=G(e_(1, v1)|z₁| . . . |e_(d, vd)|z_(d)) which is a hash valueof a bit combination value (confidential value s_(k, i)) of eachextracted element e_(u, vu) and either manifold value z_(u) (step S232).Where π_(u) is set up such that manifold values z_(u)=π_(u)(x_(u))corresponding to x_(u)ε{1, . . . , t_(u)} do not coincide for an equalvalue of u, it follows that as long as elements in the confidentialvalue memory 1111 are not updated, the manifold value z_(u) which isused by the hash calculator 1112 in generating tag output informationa_(k, i) varies from communication to communication. In addition, a bitcombination sequence in the confidential value s_(k, i)=e_(1, v1)|z₁| .. . |e_(d, vd)|z_(d) is not limited thereto. The generated tag outputinformation a_(k, i) is sent to the interface 114, which transmit thistag output information a_(k, i) (step S233).

Subsequently, in the controller 136, an arithmetic operation ofx_(u)←x_(u)+1 (uε{1, . . . , d}) takes place for x_(u) in the memory 136a (step S234). It is to be noted that in the embodiment 11, ε_(u) andt_(u) are set up such that x_(u)=t_(u) applies for either x_(u) at anypoint in time of any communication. Accordingly, as a result of thearithmetic operation x_(u)←x_(u)+1, x_(u)>t_(u) applies for eitherx_(u). The controller 136 then substitutes 1 for x_(u) which satisfiesx_(u)>t_(u) (step S235). In the present embodiment, u which correspondsto this x_(u) is represented by u′.

Subsequently, the hash calculator 813 extracts a partial elemente_(u, vu)(an element corresponding to above mentioned u′ ε{1, . . . ,d}) from the confidential value memory 1111, and calculates a hash valueH(e_(u′, vu′)) of the extracted element e_(u′, vu′) (step S236). Thehash calculator 813 overwrites the hash value H(e_(u′, vu′)) as a newelement e_(u′, vu′+1) into the confidential value memory 1111 (stepS237), then completing a processing by the tag device 1110.

By the processing mentioned above, it follows that each time theinterface 114 delivers tag output information a_(k, i), the hashcalculator 813 extracts at least one of elements e_(u′, vu′) (u′ε{1, . .. , d}) from the confidential value memory 1111, calculates the hashvalue H(e_(u′, vu′)) of the extracted element e_(u′, vu′), thus updatingthe confidential value memory 1111.

<Processing by Reader>

This remains to be similar to the first mode.

<Processing by Backend Apparatus>

A distinction of the embodiment 11 over the embodiment 10 resides inthat the processing indicated at step S26 is performed in place ofprocessings at steps S208˜S213 shown in FIG. 23.

Specifically, subsequent to the processing at the step S207, thecontroller 136 selects a combination of (x₁, . . . , x_(d))εS_(x) asindicated below, and stores it in the memory 136 a (step S241).(x ₁ , . . . , x _(d))εS _(x) ={x ₁ , . . . , x _(d) |x _(u)ε[0, t_(u)]}

The controller 136 refers to the combination of (x₁, . . . ,x_(d))εS_(x) in the memory 136 a, extracts d manifold valuesz_(u)=π(x_(u)) (uε{1, . . . , d}) which correspond to this from thedatabase memory 1131, and send them to a hash calculator 1133, whichthen calculates a calculated value c which is a result of applying thehash value G to a bit combination value of the hash valueH^(wu)(f_(u, 0)) and the manifold value z_(u) (step S242). Thecalculated value c can be illustrated by c=G(H^(w1)(f_(1, 0))|z₁| . . .H^(wu)(f_(u, 0))|z_(u)| . . . |H^(wd)(f_(d, 0))| z_(d)), for example,but the bit disposition sequence of each hash value H^(wu)(f_(u, 0)) andthe manifold value z_(u) is not limited thereto. However, the sequenceor the like is required to correspond to the bit disposition sequence ofeach element in the hash calculator 1112 of the tag device 1110.

The comparator 134 then reads tag output information a_(k, i) from thememory 136 a, receives the calculated value c from the hash calculator1133, and compares them against each other to determine whether or notc=a_(k, i) (step S243). In this example, the hash valuec=G(H^(w1)(f_(1, 0))|z₁| . . . |H^(wu)(f_(u, 0))| . . . |z_(u)| . . .|H^(wd)(f_(d, 0))|z_(d)) and the tag output information a_(k, i) arecompare against each other.

In the event it is determined that these do not match, the controller136 refers to the memory 136 a to determine whether or not all ofcombination patterns (x₁, . . . , x_(d))εS_(x) have been selected (stepS244). If it is determined that all of combination patterns (x₁, . . . ,x_(d))εS_(x) have not been selected, the controller 136 selects a newcombination (x₁, . . . , x_(d))εS_(x), and stores it in the memory 136a, whereupon it causes the processings at and subsequent to step S242 tobe executed. On the other hand, if it is determined at step S244 thatall of the combination patterns (x₁, . . . , x_(d))εS_(x) have beenselected, the operation proceeds to step S213 in FIG. 23. On the otherhand, if the processing at step S243 reveals a determination thatc=a_(k, i), the operation proceeds to step S218 in FIG. 23.

[Efficiency]

The comparison between the hash value c and the tag output informationa_(k, i) in the backend apparatus 1130 takes place t₁+t₂+ . . .+t_(d−1)+t_(d) times at maximum without changing the combination of hashvalues H^(wu)(f_(u, 0)). Accordingly, if a permissible number ofcommunications of the tag device 1110 (a maximum value of accesses fromthe reader 120 to the tag device 1110) increases, the amount of theprocessing in the backend apparatus 130 does not increase significantly.

[Impossibility of Tracing]

In the tag device 1110 of the embodiment 11, each time the tag outputinformation a_(k, i) is delivered, either element e_(u′, vu′) (u′ε{1, .. . , d}) which is stored in the confidential value memory 1111 isupdated by a hash chain. Accordingly, if the tag device 1110 is tamperedwith and an element e_(u′, vu′) within the confidential value memory1111 is leaked to an attacker, the attacker cannot find a correlationbetween the element e_(u′, vu′-t) before the updating and an elemente_(u′, vu′) after updating due to one-way nature of the hash function.Hence, the attacker cannot obtain a correlation between an elementacquired from the confidential value memory 1111 and an output valuewhich is delivered from the tag device in the past. In this manner, atracing of the tag device 1110 can be prevented.

In addition, in the embodiment 11, if the tag device 1110 is tamperedwith to leak each manifold value z_(u), any element e_(u′, vu′) which isstored in the confidential value memory 1111 is updated by overwriting.In this manner, an influence of the tag device 1110 being tampered withcan be minimized.

It is to be noted that in the embodiment 11, ε_(u) and t_(u) are set upso that it is assured that x_(u)=t_(u) is satisfied by either x_(u) atany point in time of communication. By way of example, a choice is madesuch that t₁=t₂= . . . =t_(d), and a counter x_(u) corresponding to eachelement e_(u, vu) is displaced by 1 (x_(u)=i+u/d).

However, rather than choosing an equal value for t_(u) (uε{1, . . . ,d}) each counter x_(u) corresponding to each element e_(u, vu) may bedisplaced by a spacing which is determined by dividing t_(u) having alargest value into d sections. In this instance, the requirement ofperfectly forward secure may not be satisfied, but it is at leastpossible to suppress the influence of tampering.

EMBODIMENT 12

An embodiment 12 is a modification of the embodiment 11. In a similarmanner as in the embodiment 11, in the embodiment 12 also, a point intime of communication when each element e_(u, vu) is updated is shifted.However, in the embodiment 12, each time a tag device delivers the tagoutput information $a_{k,i}{\sum\limits_{u = 1}^{d}t_{u}}$times, either element e_(u′, vu′) is extracted, and a hash valueH(e_(u′, vu′)) of the extracted element e_(u′, vu′) is calculated.

Specifically, in response to each external access, the tag device of theembodiment 12 counts up a counter x_(u)ε{1, . . . , t_(u)} correspondingto either one of d elements e_(u, vu) (for example, counts up by 1 inthe sequence of e_(1, v1) . . . e_(d, vd)). Because the counter x_(u)corresponds to the manifold value z_(u) which constitutes the tag outputinformation a_(k, i)=G(e_(1, v1)|z₁| . . . |e_(d, vd)|z_(d)), this tagdevice is capable of delivering the tag output information a_(k, i)having different values $\sum\limits_{u = 1}^{d}t_{u}$times without updating each element e_(u, vu) In the present embodiment,either element e_(u, vu) is updated each time the tag output informationa_(k, i) is delivered $\sum\limits_{u = 1}^{d}t_{u}$times. In this manner, the amount of calculations for updating the tagdevice is minimized while maintaining the manifoldness of output valuesof the tag device.

In the following, only a distinction over the embodiments 1 and 11 willbe described while omitting a description for what is common with theembodiments 1 and 11.

FIG. 27 is a flow chart for describing processing by the tag device ofthe embodiment 12. It should be noted that the entire functionalarrangement is similar to embodiment 11 (FIG. 24).

A processing method of the present embodiment will be described belowwith reference to these Figures.

<Pre-Processing>

In the embodiment 11, a choice is made that x_(u)=i+ε_(u) (uε{1, . . . ,d}) and ε_(u) and t_(u) are set up such that it is assured thatx_(u)=t_(u) is satisfied by either x_(u) at any point in time ofcommunication. In the embodiment 12, these limitations are not employed.

<Processing by Tag Device>

A processing which occurs when a tag device 310 is read by a reader 20during an i-th run (i being a natural number) will be described below.It is to be noted that the count x_(u) (uε{1, . . . , d}) has an initialvalue (at i=1) equal to 1, and u′ and u′ also have initial values of 1.It is to be noted that u′ corresponds to an element e_(u′, vu′) beingupdated while u″ corresponds to the count x_(u″) of an elemente_(u″, vu″) which is being counted up. Each parameter is stored in amemory 136 a under the control of the controller 136.

Initially, the hash calculator 1112 extracts each element e_(u, vu) fromthe confidential value memory 1111, and extracts either manifold valuez_(u) (which is z_(u)=π_(u)(x_(u)) in this example) from the manifoldvalue memory 1116 (step S241). The hash calculator 1112 then calculatestag output information a_(k, i)=G(e_(1, v1)|z₁| . . . |e_(d, vd)|z_(d))which is a hash value of a bit combination value of each extractedelement e_(u, vu) and either manifold value z_(u) (step S242).

The generated tag output information a_(k, i) is sent to the interface114, which transmits the tag output information a_(k, i) (step S243).

Subsequently, an arithmetic operation of x_(u)″←x_(u″)+1 (u″ε{1, . . . ,d}) is applied to x_(u″) in the memory by the controller 136 (stepS244), thus determining whether or not x_(u′)>t_(u″) (where t_(u″)represents a maximum value of x_(u″)) (step S245). If it is determinedthat x_(u″)>t_(u″) does not apply, processings by the tag device 1110are terminated.

On the other hand, if it is determined that x_(u″)>t_(u″), thecontroller 136 substitutes u″+1 for u″ in the memory 136 a (step S246),and determines whether or not u″>d (step S247). If u″>d does not apply,the processings by the tag device 1110 are terminated, but if u″>dapplies, the hash calculator 813 extracts an element e_(u′, vu′) (anelement corresponding to u′ε{1, . . . , d} mentioned above) from theconfidential value memory 1111, and calculates a hash valueH(e_(u′, vu′)) of the extracted element e_(u′, vu′) (step S248). Thehash calculator 813 then saves this hash value H(e_(u′, vu′)) as a newelement e_(u′, vu′+1) in the confidential value memory 1111 byoverwriting (step S249).

Subsequently, an arithmetic operation of v u′←vu′+1 (a number ofupdates) takes place in the hash calculator 813, for example, (stepS250) and it is determined whether or not vu′ has exceed a maximum value(max) of the number of updates for the element e_(u′, vu′) (step S251).If it is determined that vu′>max does not apply, processings by the tagdevice 1110 are terminated, but if vu′>max, arithmetic operations ofu′←u′+1 (a change of the element being updated) and vu′←0 (resetting ofthe number of updates for the element being updated) take place in thecontroller 136 (step S252), and these results are stored in the memory136 a before terminating the processing by the tag device 1110.

By the processings mentioned above, it is seen that each time theinterface 114 delivers tag output information$a_{k,i}{\sum\limits_{u = 1}^{d}t_{u}}$times, the hash calculator 813 extracts either element e_(u′, vu′) fromthe confidential value memory 1111 and calculates a hash valueH(e_(u′, vu′)) of the extracted element e_(u′, vu′) to update theconfidential value memory 11.

<Processing by Reader>

This remains to be similar to the embodiment 8.

<Processing by Backend Apparatus>

This remains to be similar to the embodiment 11.

<Features of Embodiment 12>

[Efficiency]

In the embodiment 12, either element e_(u′, vu′) is updated each timethe tag device 1110 performs a communication$\sum\limits_{u = 1}^{d}t_{u}$times, and accordingly an amount of calculations for updating processingin the tag device 1110 can be reduced. In other words, in the presentembodiment, tag output information a_(k, i)=G(e_(1, v1)|z₁| . . .|e_(d, vd)|z_(d)) is generated and delivered while substituting manifoldvalues which are equal in number to $\sum\limits_{u = 1}^{d}t_{u}$for every communication. Accordingly, during the communications whichare equal in number to ${\sum\limits_{u = 1}^{d}t_{u}},$the manifoldness of the output value of the tag device can u=1 besecured without updating the element e_(u, vu) By updating eitherelement e_(u′, vu′) for every $\sum\limits_{u = 1}^{d}t_{u}$communications, the manifoldness of the output during the following$\sum\limits_{u = 1}^{d}t_{u}$communications can be secured. Since the element e_(u′, vu′)is updatedonly once for $\sum\limits_{u = 1}^{d}t_{u}$communications, the amount of calculations for updating in the tagdevice 1110 can be minimized.

[Impossibility of Tracing]

The tag device 1110 of the present embodiment is constructed such thateach time the interface 114 delivers tag output information$a_{k,i}{\sum\limits_{u = 1}^{d}t_{u}}$times, the hash calculator 813 updates the confidential value memory1111. Accordingly, if the tag device 1110 is tampered with to leakelements e_(u′, vu′) in the confidential value memory 1111 to anattacker, the number of past output values from the tag device 1110which the attacker can know is less than$\sum\limits_{u = 1}^{d}{t_{u}.}$This allows the tracing of the tag device 110 to be suppressed whilereducing the amount of processing for update calculations of the tagdevice 1110.

EMBODIMENT 13

An embodiment 13 is a modification of the embodiments 1 to 4, and 6 to12, and is characterized in two kinds of hash functions G(x) and H(x)used. In the description to follow, only these hash functions H(x) andG(x) will be described.

<No. 1>

The hash function G(x) in this example is hash(1|x) where hashrepresents a hash function for {0, 1}*→{0, 1}^(r) where r represents anatural number, and the hash function H(x) is hash(0|x). It should benoted that α|β represents a bit combination of α and β. The hashfunction G(x) may be chosen to be hash(0|x) while the hash function H(x)may be chosen to be hash(1|x).

<No. 2>

The hash function H(x) (first function F1) in this example is hash(p|x)where r, s are natural numbers, hash represents a hash function for {0,1}*→{0, 1}^(r), and pε{0, 1}^(s). The hash function G(x) (secondfunction F2) is hash(q|x) where qε{0, 1}^(s) and p≠q.

<No. 3>

The hash function H(x) (first function F1) is hash(pad(x, p)) when ppadded to x (a padding of p to x) is represented by pad(x, p) wherepε{0, 1}^(s). The function G(x) (second function F2) is hash(pad(x, q))when q padded to x (a padding of q to x) is represented as pad(x, q)where qε{0, 1}_(s) and p≠q. A padding position (a position in a bittrain) of p or q relative to x is not restricted in particular. By wayof example, p or q may be bit combined before or after x or may beinserted into a bit train of x.

<No. 4>

The hash function H(x) (first function F1) is hash(x) where hashrepresents a hash function for {0, 1}*→{0, 1}^(r), and the function G(x)(second function F2) is hash(rx) where rx represents a bit inversion ofx.

<Effect of Embodiment 13>

In the present embodiment, while using only one kind of hash function,two kinds of hash calculations G(x), H(x) can be implemented withoutcollapsing the properties thereof (one-way nature, delivering randomvalues). This allows a circuit scale which constitutes a hash functionto be reduced, with a consequence that the scale of a circuit which isassembled into a tag device can be made smaller, realizing a reductionin the cost of a tag device.

[Second Mode]

<Arrangement>

A second mode for carrying out the present invention will now bedescribed.

In this mode, an updater which is provided externally of a tag deviceupdates a privileged ID information which is stored in a tag device to anew privileged ID information, the association of which with respect tothe privileged ID information is difficult to follow at a givenopportunity.

<Arrangement>

FIG. 28 is a block diagram illustrating a schematic arrangement of thepresent mode.

An illustrated in FIG. 28, an updating system 1500 of the present modecomprises a tag device 1510 and a security server 1560 which is providedexternally thereof.

A tag device 1510 comprises a confidential value memory which storesprivileged ID information which has privileged a tag ID informationwhich is inherent to each tag device, a read/write section 1512electrically connected with the confidential value memory, a firstoutput section 1513 and a second input section 1514 electricallyconnected with the read/write section 1512.

A security server 1560 comprises a first input section 1561, an updater1562 electrically connected with the first input section 1561, and asecond output section connected to the updater 1562.

<Update Processing of Privileged ID>

An updating of a privileged ID takes place as described below.

Initially, at a given opportunity, the read/write section 1512 of thetag device 1510 reads out privileged ID information sid_(h) which isstored in the confidential value memory 1511, and the first outputsection 1513 delivers the privileged ID information sid_(h) to thesecurity server 1560 which is provided externally of respective tagdevices.

The first input section 1561 of the security server 1560 accepts aninput of privileged ID information sid_(h). And the updater 1562generates new privileged ID information sid_(h)′, the association ofwhich with the privileged ID information sid_(h) is difficult to follow,and the second output section 1563 delivers the new privileged IDinformation sid_(h)′ to the tag device 1510.

The second input section 1514 of the tag device 1510 accepts an input ofthe new privileged ID information sid_(h)′, and the read/write section1512 stores the new privileged ID information sid_(h)′ in theconfidential value memory 1511.

EMBODIMENT 14

FIG. 29 is a conceptual view illustrating an overall arrangement of anupdating system 2000 of an embodiment 14.

As illustrated in this Figure, the updating system 2000 comprises a tagdevice 2010 such as a radio tag which is applied to goods, a clientapparatus 2020, a backend apparatus 2050 which controls productsdistribution information or the like which relates to ID in plain text,and a security server 2060 which performs a restoration of ID,re-privileging of privileged ID (a server which re-privileges theprivileged ID which is transmitted through the network and is equivalentto “updater”). The client apparatus 2020, the backend apparatus 2050 andthe security server 2060 are connected to be capable of communicationwith each other through a network 2070 such as internet or the like. Itis to be noted that the client apparatus 2020 has the function tooperate as a reader described above in connection with the first mode.The effect which is implemented with the tag device, the reader and thebackend apparatus in the first mode is implemented by the tag device2010, the client apparatus 2020, the backend apparatus 2050 and thesecurity server 2060. While one tag device 2010, client apparatus 2020,backend apparatus 2050 and security server 2060 are illustrated in thisFigure, it should be understood that normally there are a plurality oftag devices, and a plurality of client apparatus, backend apparatus andsecurity servers may also be provided.

The client apparatus 2020 of this example initially reads the privilegedID from the tag device 2010, and sends it to the security server 2060.The security server 2060 restores ID from the privileged ID, and returnsthis ID to the client apparatus 2020. Upon receiving the ID, the clientapparatus 2020 accesses the backend apparatus 2050 to demand an entry ofinformation such as ID, a date and time of reading, a location ofreading, a temperature or the like and an acquisition of informationrelating to ID or the like. A manner of utilizing a proxy model can becontemplated that the client apparatus 2020 transmits the privileged IDto the security server 2060, which then directly accesses the backendapparatus 2050. What is characterizing the present embodiment is that anapparatus such as the security server 2060 or the like which is providedexternally of the tag device 2010 re-privileges the privileged ID withinthe tag device 2010 (namely, updates the privileged ID to a separateprivileged ID).

FIG. 30 is a block diagram illustrating a functional arrangement of anupdating system 1 of the present embodiment.

<Tag Device>

A tag device 2010 in this example comprises a confidential value memory2011, a read/write section 2012 (equivalent to “first read/writesection”), an interface 2013 (equivalent to “first output section” and“second input section”), a memory 2014 a and a controller 2014.

Here, each of the confidential value memory 2011 and the memory 2014 ais an RAM (Random Access Memory) capable of read/write operation such asEEPROM (Electronically Erasable and Programmable Read Only Memory),FeRAM (Ferroelectric Random Access Memory), a flash memory, NV(Nonvolatile) RAM or the like, for example. The read/write section 2012is a hardware which reads/writes data from or into the confidentialvalue memory 2011 at a given address under the control of the controller2014. The controller is an integrated circuit constructed to controlprocessing by the entire tag device 2010, for example.

The interface 2013 is a hardware which inputs or outputs data withrespect to the client apparatus 2020 by the radio or wire communication.Specifically, the interface 2013 comprises an encoding/decoding circuitwhich performs an encoding/decoding according to NRZ code, a Manchestercode, Miller code, a single polarity RZ code or the like, amodulator/demodulator which performs a modulation/demodulation inaccordance with ASK (Amplitude Shift Keying), PSK (Phase Shift Keying),FSK (Frequency Shift Keying) or the like, and an antenna such as adipole antenna, a microstrip antenna, a loop coil, a cored coil or thelike for performing a signal transmission and reception using afrequency in a low frequency band or ISM band (Industry Science Medicalband). A communication system used may comprise an electromagneticinduction system or a radio wave system, for example.

The confidential value memory 2011 is electrically connected with theread/write section 2012, which is in turn electrically connected withthe interface 2013. While not shown in this Figure, the controller 2014is electrically connected to various parts of the tag device 2010.

<Client Apparatus>

The client apparatus 2020 of this example comprises an interface 2022, acommunication section 2021, a memory 2024 a and a controller 2024.

A products distribution information memory 121 is a magnetic recordersuch as a hard disc unit, a flexible unit or the like, an optical discunit such as DVD-RAM (Random Access Memory), CD-R (Recordable)/RW(ReWritable) or the like, a magneto-optical such as MO (Magneto-Opticaldisc) or the like, or a semiconductor memory such as EEPROM(Electronically Erasable and Programmable Read Only Memory), a flashmemory or the like. The interface 2022 is a hardware which is similar tothe example of the interface 2013. The communication section 2021comprises LAN card, a modem, a terminal adapter or the like, and thecontroller 2023 is CPU (Central Processing Unit) of CISC (ComplexInstruction Set Computer) type, RISC (Reduced Instruction Set Computer)type, or the like and including a memory 2023 a.

The interface 22 and the communication section 2021 are electricallyconnected together, and while omitted from illustration in this Figure,the controller 2024 is electrically connected to various parts of theclient apparatus 2020.

<Updater>

The security server 2060 comprises a communication section 2062(equivalent to “first input section” and “second output section”), arandom number generator 2063, a read/write section 2064 (equivalent to“second read/write section”), a privileged ID memory 2061, a memory 2065a and a controller 2065. It is to be noted that the random numbergenerator 2063, the read/write section 2964 and the privileged ID memory2061 constitute together “updating section”. Specifically, the securityserver 2060 is constituted by a known computer of Neumann type which isformed by connecting together a CPU, an RAM, an ROM (Read Only Memory),an external memory such as a magnetic recorder or an optical disc unit,a LAN card, a modem, a terminal adapter and like through busses, forexample, and which executes a given program. Each of processingfunctions indicated below are implemented by CPU which reads a programstored in the RAM and executes a processing in accordance therewith.

<Processing>

FIG. 31 is a flow chart for describing a processing procedure of thepresent embodiment. A functional arrangement and a processing of thepresent embodiment will be described below with reference to FIGS. 29 to31. It is to be understood that the tag device 2010, the clientapparatus 2020 and the security server 2060 execute respectiveprocessings under the control of the controllers 2014, 2023 and 2065,respectively. Data which are processed are sequentially stored in thememory 2014 a, 2023 a or 2065 a, which is accessed as a processing suchas a calculation takes place, but a description for this will be omittedin the description to follow.

<Pre-Processing>

Privileged ID information in this example is a random value r_(h) whichis related to tag ID information id_(h). A random value r_(h)corresponding to the tag ID information id_(h) which is inherent to thetag device 2010 is stored as privileged ID information sid_(h) in theconfidential value memory 2011 of the tag device 2010. Tag IDinformation id₁, . . . , id_(m) which corresponds to each tag device2010 and privileged ID information or random values r₁, . . . , r_(m)which are related to the respective the tag ID information are stored ina privileged ID memory 2061 of the security server 2060. It is to benoted that h represents a natural number equal to or greater than 1 andequal to or less than m, and represents the number of each tag device2010. m presents a total number of tag devices.

<Privileged ID Information Updating Processing>

Initially, utilizing some sort of authentication technology, anauthentication of each other is made between the client apparatus 2020and security server 2060. A communication between the client apparatus2020 and security server 2060 takes place under encryption according tosome sort of encryption technology.

An updating processing of the privileged ID information sid_(h) isinitiated by a trigger, which may be a passage through a location suchas a porch which a man never fails to pass when he leaves a house, anumber of times the privileged ID information stored in the tag device2010 is used (a count reaching a given value) or the like. In responseto the trigger, the client apparatus 2020 initially transmits a readcommand to the tag device 2010 from its interface 2022 (step S301). Thisread command is received by the interface 2013 of the tag device 2010,and this triggers the read/write section 2012 to extract the privilegedID information sid_(h) from the confidential value memory 2011 (stepS302). The extracted privileged ID information sid_(h) is transmitted(delivered) from the interface 2013 to the client apparatus 2020 (stepS303). The privileged ID information sid_(h) is received by theinterface 2022 of the client apparatus 2020, and is transmitted togetherwith a solicitation to update the privileged ID information (a demand tore-privilege) by the communication section 2021 to the security server2060 through the network 2070 (step 304).

Information such as the privileged ID information (sid_(h)) or the likeis received by the communication section 62 of the security server 2060(its input is accepted) (step S305), and is sent to a read/write section2064. This also triggers the random number generator 63 (equivalent to“random value generator”) to generate a random number r_(h)′ (stepS306).

The generation of the random number r_(h)′ is carried out so as to avoidassuming a same value as privileged ID information in the privileged IDmemory 2061. This generation takes place by using a pseudo-random numbergenerating algorithm which is based on a calculation theory constructedwith a one-way hash function such as SHA-1, for example, or the like,and the generated random number r_(h)′ is sent to the read/write section2064. The read/write section 2064 retrieves (selects) tag ID informationid_(h) corresponding to the privileged ID information sid_(h) from theprivileged ID memory 2061, relates the random number r_(h)′ (equivalentto “random value”) as a new privileged ID information sid_(h)′ to thetag ID information id_(h), and stores it in the privileged ID memory2061 (step S307). In addition, the read/write section 2064 sends the newprivileged ID information sid_(h)′=r_(h)′ to a communication section2062, which then transmits the new privileged ID information sid_(h)′ tothe client apparatus 2020 (equivalent to “delivered to tag device”)through the network 2070 (step S308).

The transmitted new privileged ID information sid_(h)′ is received bythe communication section 2021 of the client apparatus 2020, and istransmitted to the tag device 2010 from the interface 2022 (step S309).The tag device 2010 receives the new privileged ID information sid_(h)′at the interface 2013 (accepts an input) and sends it to the read/writesection 2012, which sends the new privileged ID information sid_(h)′ tothe confidential value memory 2011 to be stored therein (step S310).Subsequently, the tag device 2010 sends this new privileged IDinformation sid_(h)′ to the backend apparatus 2050 through the reader inresponse to a read demand from the reader (not shown). The backendapparatus 2050 sends the received privileged ID information sid_(h)′ toa database memory 1131, which receives it at its communication section2062 and sends it to the read/write section 2064. The read/write section2064 retrieves a random value which coincides with the privileged IDinformation sid_(h)′ from the privileged ID memory 2061, reads out thetag ID information id_(h) which is related to the coinciding randomvalue r_(h) and sends it to the communication section 2062, which thentransmits it to the backend apparatus 2050.

<Features of Embodiment 14>

In the present embodiment, the privileged ID information which is storedin the tag device 2010 can be updated at arbitrary timing. This allows atracing of the tag device 2010 on the basis of a common character ofprivileged ID information which remains in the history of communicationsor the like to violate the privacy to be avoided. Since a random valueis used as privileged ID information, an attacker cannot know theassociation between privileged ID information before and after theupdate. Accordingly, a firm prevention of a tracing of the tag device2010 can be realized. In addition, since a complicated re-privilegingprocessing is performed in the security server 2060 which is external tothe tag device 2010, there is no need to provide a circuit which wouldbe required for purpose of re-privileging processing within the tagdevice 2010 itself. As a consequence, the cost of the tag device 2010itself can be suppressed low.

EMBODIMENT 15

This embodiment is a modification of the embodiment 14, and differs fromthe embodiment 14 in that an encrypted text according to a common keyencryption technique is used as privileged ID information. In thefollowing, a distinction over the embodiment 14 will be principallydescribed.

FIG. 32 is a block diagram illustrating a functional arrangement of anupdating system 2100 of the present embodiment. FIG. 33 is a flow chartfor describing a processing procedure therefor. A functional arrangementand a processing of the present embodiment will be described below withreference to these Figures. It is to be noted that arrangements whichare common to the embodiment 14 are designated in FIG. 32 by likecharacters as used in FIG. 30. A security server 2160 executes variousprocessings under the control of a controller 2065. A key memory 2161, aread/write section 2064 and an ID extractor 2166, an encryptor 2167 anda random number generator 2063 constitute together “updating section”.

<Pre-Processing>

Privileged ID information of this mode represents information includinga first encrypted text according to a common key encryption techniquesuch as AES and a key ID information which corresponds to the common keyused in this encryption. In this example, privileged ID information of atag device 2110 is defined as sid_(h)=(ek_(j)(id_(h)|r), kid_(j)) whereh is a natural number equal to or greater than 1 and equal to or lessthan m, and represents the number corresponding to the tag device 2110and j is a natural number equal to or greater than 1 and equal to orless than n and represents the number corresponding to each key. mrepresents a total number of tag devices and n represents a total numberof keys. In addition, k_(j) represents a j-th common key, kid_(j) key IDinformation corresponding to the common key k_(j) and r a random number.In addition, ek(α) represents an encrypted text which is obtained byencrypting α according to the common key encryption technique using acommon key k, and α|β represents a bit combination of α and β.

Privileged ID information sid_(h)=(ek_(j)(id_(h)|r), kid_(j)) whichcorresponds to tag ID information id_(h) is stored in the confidentialvalue memory 2111 of the tag device 2110 of this example. Each key IDinformation (kid₁, . . . , kid_(n)) and a common key (k₁, . . . , k_(n))of the common encryption technology are stored in a key memory 2161 of asecurity server 2160 (equivalent to “updater”) in a manner relating toeach other. In addition, information relating to the magnitude (bitlength) and the padding position of a random number r appearing insid_(h)=(ek_(j)(id_(h)|r), kid_(j)) is stored in a memory 2065 a.

It is to be noted that in this example, it is assumed that the totalnumber m of the tag devices is sufficiently greater than the totalnumber of keys (m

n) such that identical key ID information is allotted to tag deviceswhich are not related to each other. Specifically, for example, ratherthan allotting the identical key information to tag devices which areapplied to a same variety of goods, the identical key ID information isallotted to tag devices which are applied to unrelated goods. In thismanner, it is possible to prevent the variety of goods or a specific oneof goods from being identified on the basis of the key ID information.

<Privileged ID Updating Processing>

In the similar manner an in the embodiment 14, the client apparatus 2020transmits a read command to the tag device 2110 initially (step S320).The tag device 2110 extracts privileged ID information(sid_(h)=(ek_(j)(id_(h)|r), kid_(j))) from the confidential value memory2111 (step S321), and transmits it to the client apparatus 2020 (stepS322). In response thereto, the client apparatus 320 transmits theprivileged ID information sid_(h) together with a solicitation forupdate to the security server 2160 (step 323).

Information including the privileged ID information sid_(h) is receivedby the communication section 2062 of the security server 2160 (stepS324), and the first encrypted text ek_(j)(id_(h)|r) which constitutesthe privileged ID information sid_(h) is sent to an ID extractor 2166while the key ID information kid_(j) is sent to the read/write section2064. kid_(j) is also recorded in the memory 2065 a.

Upon receiving the key ID information kid_(j), the read/write section2064 extracts the common key k_(j) which corresponds to the key IDinformation kid_(j) from the key memory 2161 and sends it to the IDextractor 2166 (step S325). Upon receiving it, ID extractor 2166decrypts the first encrypted text (ek_(j)(id_(h)|r) using the common keyk_(j) and extracts tag ID information id_(h). Specifically, the IDextractor 2166 calculates (id_(h)|r) fromid_(h)=dk_(j)(ek_(j)(id_(h)|r)), and extracts id_(h) using informationrelating to the magnitude and the padding position of the random numberr which is stored in the memory 2065 a (step S326). Here, dk(α)represents a decryption of an encrypted text a with the common key k.The calculated tag ID information id_(h) is sent to an encryptor 2167together with the common key k_(j). The random number generator 2063generates a random number r′, and sends it to the encryptor 2167 (stepS327). Using the common key k_(j), the tag ID information id_(h) and therandom number r′ which are sent thereto and information relating to themagnitude and the padding position of the random number which is storedin the memory 2065 a, the encryptor 2167 generates (calculates) a secondencrypted text (ek_(j)(id_(h)|r′)) (a second encrypted text being one,the association of which with the first encrypted text is difficult tofollow), and sends it to the communication section 2062 (step S328).

The communication section 2062 transmits (delivers) the encrypted text(ek_(j)(id_(h)|r′)) which is sent thereto and the key ID informationkid_(j) in the memory 2065 a as a new privileged ID information(sid_(h)′=(ek_(j)(id_(h)|r′), kid_(j))) (step S329).

The new privileged ID information sid_(h)′ which is transmitted isreceived by the client apparatus 2020 through the network 2070 in thesimilar manner as in the embodiment 14, and is transmitted to the tagdevice 2110 (step S330). The tag device 2110 receives the new privilegedID information sid_(h)′ at its interface 2013, and the read/writesection 2012 stores it in the confidential value memory 2111 (stepS331), and in response to a subsequent read command from the reader,sends the new privileged ID information sid_(h)′ to the backendapparatus 2050 through the reader. The backend apparatus 2050 sends thereceived the privileged ID information sid_(h)′ to the security server2160, which receives it at its communication section 2062. The securityserver 2160 then decrypts the tag ID information by a procedure which issimilar to steps S324 and 325, and sends it through the communicationsection 2062 and the network 2070 to the backend apparatus 2050.

<Features of Embodiment 15>

In the present embodiment, information including an encrypted text whichis formed according to the common key encryption technique is used asprivileged ID information, and accordingly, an attacker who does notknow the common key cannot know an association of the privileged IDinformation before and after the update. In this manner, a firmprevention of a tracing of the tag device 2010 can be realized.

While an encrypted text formed by an exclusive logical sum of the randomnumber and ID constitutes privileged ID information in the presentembodiment, the privileged ID information may be constituted by anyother method as long as the property of probability encryption (theproperty that if a same ID is encrypted with a same key, a differentencrypted text can be delivered) is maintained. The same is true in anembodiment 16.

EMBODIMENT 16

An embodiment 16 is a modification of the embodiment 14, and differsfrom the embodiment 14 in that an encrypted text formed according to apublic key encryption technique is used as privileged ID information. Adistinction over the embodiment 14 will be principally described below.

FIG. 34 is a block diagram illustrating a functional arrangement of anupdating system 2200 of the present embodiment, and FIG. 35 is a flowchart for describing a processing procedure therefor. A functionalarrangement and a processing according to the present embodiment will bedescribed below with reference to these Figures. It is to be noted thatin FIG. 34, arrangements which are common to the embodiment 14 aredesignated by like characters as used in the embodiment 14. A read/writesection 2064, a key memory 2261, an ID extractor 2266, an encryptor 2267and a random number generator 2063 constitute together an “updatingsection”.

<Pre-Processing>

Privileged ID information in this mode comprises information including afirst encrypted text according to an public key encryption techniquesuch as RSA and a key ID information which corresponds to the public keyused in the encryption. In this example, privileged ID information of atag device 2210 is defined as sid_(h)=(epk_(j)(id_(h)|r), kid_(j)). Itis to be understood that pk_(j) represents a j-th public key, kid_(j)key ID information which corresponds to the public key pk_(j) and epk(α)an encrypted text formed by encrypting a according to the public keyencryption technique using the public key pk.

Privileged ID information sid_(h)=(epk_(j)(id_(h)|r), kid_(j)) is storedin a confidential value memory 2211 of the tag device 2210 of thisexample. Each key ID information (kid₁, . . . , kid_(n)), a common key(sk₁, . . . , sk_(n)) and a public key (pk₁, . . . , pk_(n)) of thepublic key encryption technique (a key pair (sk_(j), pk_(j))) are storedin a manner relating to each other in a key memory 2261 of a securityserver 2260 (equivalent to “updater”). Information relating to themagnitude (bit length) and the padding position (bit position) of therandom number r in sid_(h)=(epk_(j)(id_(h)|r), kid_(j)) are stored in amemory 2065 a of this example.

In the similar manner as in the embodiment 15, in this example, anidentical key ID information is allotted to unrelated tag devices. Thisallows the variety of goods or a specific one of goods to be preventedfrom being identified on the basis of the key ID information.

<Privileged ID Updating Processing>

In the similar manner as in the embodiment 14, a client apparatus 2020initially transmits a read command to the tag device 2210 (step S340).The tag device 2210 extracts privileged ID informationsid_(h)=(epk_(j)(id_(h)|r), kid_(j)) from the confidential value memory2211 (step S341), and transmits it to the client apparatus 2020 (stepS342). In response thereto, the client apparatus 2020 transmits theprivileged ID information sid_(h) together with a solicitation forupdate to the security server 2260 (step 343).

Information including the privileged ID information sid_(h) or the likeis received by the communication section 2062 of the security server2260 (step S344), and the first encrypted text epk_(j)(id_(h)|r) whichconstitutes the privileged ID information sid_(h) is sent to the IDextractor 266 while the key ID information kid_(j) is sent to theread/write section 2064. The key ID information kid_(j) is also recordedin the memory 2065 a.

Upon receiving the key ID information kid_(j), the read/write section2064 extracts a secret key sk_(j) and a public key pk_(j) (or key pair)which corresponds to the key ID information kid_(j) from the key memory2261, and sends the secret key sk_(j) to the ID extractor 2266 and sendsthe public key pk_(j) to the encryptor 2267, respectively (step S345).Upon receiving the secret key sk_(j), the ID extractor 2266 decrypts thefirst encrypted text epk_(j)(id_(h)|r) using the secret key sk_(j), andextracts tag ID information id_(h). Specifically, (id_(h)|r) iscalculated according to id_(h)=dsk_(j)(epk_(j)(id_(h)|r)), and id_(h) iscalculated using information relating to the magnitude and the paddingposition of the random number r in the memory 2065 a (step S346). Here,dsk(α) represents a decryption of an encrypted text a with the secretkey sk. The calculated tag ID information id_(h) is sent to theencryptor 2267. The random number generator 2063 generates a randomnumber r′, and sends it to the encryptor 2267 (step S347). Using thepublic key pk_(j), the tag ID information id_(h) and the random numberr′ which are sent thereto and information relating to the magnitude andthe padding position of the random number, the encryptor 2267 generates(calculates) an encrypted text (epk_(j)(id_(h)|r′)) (a second encryptedtext, the association with the first encrypted text of which isdifficult to follow), and sends it to the communication section 2062(step S348).

The communication section 2062 transmits (delivers) the second encryptedtext (epk_(j)(id_(h)|r′)) which is sent thereto and the key IDinformation kid_(j) in the memory 2065 a as a new privileged IDinformation sid_(h)′=(epk_(j)(id_(h)|r′), kid_(j)) (step S349).

The transmitted new privileged ID information sid_(h)′ is received bythe client apparatus 2020 through the network 2070 in the similar manneras in embodiment 14, and is transmitted to the tag device 2210 (stepS350). The tag device 2210 causes its read/write section 2012 to storethe new privileged ID information sid_(h)′ in the confidential valuememory 2211 (step S351). In response to a subsequent read command fromthe reader, this new privileged ID information sid_(h)′ is sent to thebackend apparatus 2050 through the reader. The backend apparatus 2050sends the received privileged ID information sid_(h)′ to the securityserver 2260, which then receives it by the communication section 2062.Subsequently, the security server 2260 decrypts tag ID information by aprocedure similar to steps S345 and 346, and sends it to the backendapparatus 2050 through the communication section 2062 and the network2070.

<Features of Embodiment 16>

Since information containing an encrypted text formed according to thepublic key encryption technique is used as privileged ID information inthe present embodiment, an attacker who does not know the secret keycannot know the association between the privileged ID information beforeand after the update. In this manner, a firm prevention of a tracing ofthe tag device 2210 can be realized.

EMBODIMENT 17

This embodiment is a modification of the embodiment 14, and differs fromthe embodiment 14 in that privileged ID information is updated using anencryption algorithm having the property of re-encryption (the propertyof an encryption capable of generating a different encrypted text dataonly using encrypted data and the public key. A decryption takes placeby using the same secret key). A distinction over the embodiment 14 willbe principally described below.

FIG. 36 is a block diagram illustrating a functional arrangement of anupdating system 2300 of the present embodiment, and FIG. 37 is a flowchart for describing a processing procedure therefor. A functionalarrangement and a processing of the present embodiment will be describedbelow with reference to these Figures. It is to be noted that in FIG.36, arrangements which are common with the embodiment 14 are designatedby like characters as used in the embodiment 14. A security server 2360executes various processings under the control of a controller 2065. Akey memory 2361, a read/write section 2064, a random number generator2063, a remainder multiplication calculator 2366 and a remainder powercalculator 2367 constitute together an “updating section”.

<Pre-Processing>

Privileged ID information according to this mode is informationincluding a first encrypted text according an encryption algorithm(public key encryption technique) which has the property ofre-encryption, and key ID information which corresponds to the publickey used in the encryption. In this example, ElGamal encryption (seeTatsuaki Okamoto and Hirosuke Yamamoto, “Modem encryption”, 1998,p118˜119, for example) is used, and privileged ID information of a tagdevice 2310 is defined as sid_(h)=(g^(r) mod p, id_(h)·pk_(j) ^(r) modp, kid_(j)). Here, g represents a publicized element of generation, p asufficiently large primary number, r an arbitrary integer equal to orgreater than 0 and equal to or less than p-1, pk_(j)=g^(xj) mod p a j-thpublic key, sk_(j) a j-th secret key, and (g^(r) mod p, id_(h)·pk_(j)^(r) mod p) an encrypted text. It is to be noted that super-index “skj”in pk_(j)=g^(skj) mod p means “sk_(j)”. In the description to follow andassociated Figures, “mod p” will be omitted from description.

Privileged ID information sid_(h)=(g^(r), id_(h)·pk_(j) ^(r), kid_(j))is stored in a confidential value memory 2311 of the tag device 2310 ofthe present example. In addition, each key ID information (kid₁, . . . ,kid_(n)) and a pubic key (pk₁, . . . , pk_(n)) are stored in a keymemory 2361 of a security server 2360 (equivalent to “updater”) in amanner relating to each other. An element of generation g is stored in amemory 2065 a.

Again in this example, an identical key ID information is allotted tounrelated tag devices. This allows an identification of the variety ofgoods or a particular one of goods on the basis of the key IDinformation to be prevented.

<Privileged ID Updating Processing>

In the similar manner as in the embodiment 14, a client apparatus 2020initially transmits a read command to the tag device 2310 (step S360).The tag device 2310 extracts privileged ID information sid_(h)=(g^(r),id_(h)·pk_(j) ^(r), kid_(j)) from the confidential value memory 2311(step S361), and transmits it to the client apparatus 2020 (step S362).In response thereto, the client apparatus 2020 transmits the privilegedID information sid_(h) together with a solicitation to update to thesecurity server 2260 (step S363).

Information inclusive of the privileged ID information sid_(h) isreceived by the communication section 2062 of the security server 2360(step S364), and (g^(r), id_(h)·pk_(j) ^(r)) which constitutes theprivileged ID information sid_(h) is sent to a remainder multiplicationcalculator 2366 (which constitutes “encrypting section”) while kid_(j)is sent to the read/write section 2064. kid_(j) is also recorded in thememory 2065 a.

Upon receiving key ID information kid_(j), the read/write section 2064extracts a public key pk_(j) which corresponds to this key IDinformation kid_(j) from the key memory 2361, and sends it to aremainder power calculator 2367 (which constitutes “encrypting section”)(step S365). This triggers the random number generator 2063 to generatea random number r′ which is equal to or greater than 0 and equal to orless than p−1, and to send it to the remainder power calculator 2367(step S366). The remainder power calculator 2367 calculates (g^(r′),pk_(j) ^(r′)) using the element of generation g in the memory 2065 a,the public key pk_(j) and the random number r′ which are received, andsends a result of calculation to the remainder multiplication calculator2366 (step S367). The remainder multiplication calculator 2366calculates (g^(r+r′), id_(h)·pk_(j) ^(r+r′)) using (g^(r′), pk_(j)^(r′)) and (g^(r), id_(h)·pk_(j) ^(r)) which are received, and sends aresult of calculation as an encrypted text (a second encrypted text) tothe communication section 2062 (step S368).

The communication section 2062 transmits the sent encrypted text(g^(r+r′), id_(h)·pk_(j) ^(r+r′)) (a second encrypted text, theassociation with the first encrypted text of which is difficult tofollow) and key ID information kid_(j) in the memory 2065 a as newprivileged ID information (sid′_(h)=(g^(r+r′), id_(h)·pk_(j) ^(r+r′),kid_(j))) (step S369).

The transmitted new privileged ID information sid_(h)′ is receivedthrough the network 2070 by the client apparatus 2020 in the similarmanner as in the embodiment 14, and is transmitted to the tag device2310 (step S370). The read/write section 2012 of the tag device 2310then stores the new privileged ID information sid_(h)′ in theconfidential value memory 2311 (step S371). Subsequently, the tag device2310 responds with this new privileged ID information (sid_(h)′) inresponse to a subsequent read command.

<Features of Embodiment 17>

In this embodiment, privileged ID information is updated using anencryption algorithm having a property of re-encryption, andaccordingly, the privileged ID information can be updated withoutdecrypting ID in plain text. Consequently, there is no likelihood thatID be eavesdropped during the updating processing of privileged IDinformation and a firm prevention of a tracing of the tag device 2310can be realized.

While a public key (pk₁, . . . , pk_(n)) is stored in the key memory2361 of the security server 2360 in the present embodiment, anarrangement can be used in which the security server 2360 does notmaintain the pubic key (pk₁, . . . , pk_(n)), but acquires the publickey (pk₁, . . . , pk_(n)) from a given public key server for use.

While ElGamal encryption is used in the present embodiment, a differentalgorithm such as a higher order remainder encryption may also be usedprovided it is an encryption algorithm having the property ofre-encryption.

In addition, as modifications of the embodiment 16 and the embodiment17, the tag ID information may be encrypted with a common key, and anencrypted text of the common key and tag ID information may be encryptedwith the public key according to the above mentioned public keyencryption technique to provide privileged ID information (hybridencryption). In this instance, the security server acquires the commonkey by decrypting the privileged ID information with the secret keywhich corresponds to this public key, and decrypts the encrypted text oftag ID information using this common key to obtain tag ID information.Subsequently, the security server generates a separate encrypted textform this tag ID information according to the common key encryptiontechnique, and the common key and the encrypted text may be furtherencrypted according to the public encryption technique. The resultingencrypted text may be used as a new privileged ID information to bereturned to a client apparatus. Subsequently, this new privileged IDinformation is stored in the confidential value memory of the tag devicein the similar as in the embodiment 16 or the like.

EMBODIMENT 18

In an embodiment 18, a security server is changed at the time theprivileged ID information is updated. A distinction over the embodiment14 will be principally described below.

FIG. 38 is a conceptual view illustrating an overall arrangement of anupdating system 2400 of the present embodiment. It is to be noted thatin FIG. 38, arrangements which are common with the embodiment 14 aredesignated by like characters as used in the embodiment 14.

As illustrated in this Figure, the updating system 2400 comprises a tagdevice 2410, a client apparatus 2020 (equivalent to “update solicitor”),a plurality of security servers 2460-1˜v (equivalent to “updaters”) anda backend apparatus 2050, which are connected together to enable acommutation therebetween through the network 2070.

FIG. 39 is a block diagram illustrating a functional arrangement of anupdating system 2400 of the present embodiment, and FIG. 40 is a flowchart for describing a processing procedure therefor. A functionalarrangement and a processing according to the present embodiment will bedescribed below with reference to these Figures. It is to be noted thatin FIG. 39, arrangements which are common with the embodiment 14 aredesignated by like characters as used in the embodiment 14. For brevityof illustration, only two security servers 2460-1 and 2460-2 are shownin FIGS. 38 and 39, but it should be understood that more than twosecurity servers may be used to construct a system. In addition, whileonly processing function/data which are required for purpose ofdescription are indicated in FIG. 39, it should be understood thateither one of the security servers 2460-1 and 2460-2 may also containprocessing functions and data which the other security server contains.The security servers 2460-1 and 2460-2 execute respective processingsunder the control of controllers 2465-1 and 2465-2.

<Pre-Processing>

Privileged ID information according to this mode is informationincluding an encrypted text according to the public key encryptiontechnique and key ID information which corresponds to the public keyused in the encryption. In the present example, privileged IDinformation of the tag device 2410 is defined assid_(h)=(epk_(j)(id_(h)), kid_(j)).

This privileged ID information sid_(h)=(epk_(j)(id_(h)), kid_(j)) isstored in the confidential value memory 2411 of the tag device 2410 ofthis example. Each key ID information (kid₁, . . . , kid_(n)) and asecret key (sk₁, . . . , sk_(n)) of the public key encryption techniqueare stored in a key memory 2461-1 of the security server 2460-1 in amanner relating to each other. Also, each key ID information (kid₁, . .. , kid_(n)) and a public key (pk₁, . . . , pk_(n)) of the public keyencryption technique are stored in a key memory 2461-2 of the securityserver 2460-2 in a manner relating to each other.

In this example also, an identical key ID information is allotted tounrelated tag devices. This allows the variety of goods or a particularone of the goods to be prevented from being identified on the basis ofthe key ID information.

<Privileged ID Updating Processing>

In the similar as in the embodiment 14, a client apparatus 2020initially transmits a read command to tag device 2410 (step S380). Thetag device 2410 extracts the privileged ID information(sid_(h)=(epk_(j)(id_(h)), kid_(j))) from the confidential value memory2411 (step S381) and transmits it to the client apparatus 2020 (stepS382). In response thereto, the client apparatus 2020 causes itscommunication section 2021 (equivalent to “first ID output section”) totransmit (deliver) the privileged ID information sid_(h) extracted fromthe tag device 2410 together with a solicitation to update to thesecurity server 2460-1 (step 383). It is to be noted that the securityserver 2460-1 is the security server which controls the privileged IDinformation stored in the tag device 2410 at this point in time.

Information inclusive of the privileged ID information sid_(h) isreceived by a communication section 2462-1 (equivalent to “first inputsection”) of the security server 2460-1 (step S384), and epk_(j)(id_(h))which constitutes the privileged ID information sid_(h) is sent to an IDextractor 2466-1 while kid_(j) is sent to a read/write section 2464-1.Upon receiving the key ID information kids, the read/write section2464-1 extracts a secret key sk_(j) which corresponds to the key IDinformation kid_(j) from the key memory 2461-1 and sends it to the IDextractor 2466-1 (step S385). Upon receiving the secret key sk_(j), theID extractor 2466-1 decrypts an encrypted text epk_(j)(id_(h)) using thesecret key sk_(j) to determine tag ID information id_(h)(id_(h)=dsk_(j)(epk_(j)(id_(h)))) (step S386). The tag ID informationid_(h) which is thus determined is sent to a communication section2462-1 (equivalent to “second output section”), and thence transmitted(delivered) to the client apparatus 2020 through the network 2070 (stepS387).

The tag ID information id_(h) delivered from the security server 2460-1is received by the communication section 2021 of the client apparatus2020 (accepted as an input) (step S388). Subsequently, the communicationsection 2021 transmits (delivers) the tag ID information id_(h) to anarbitrarily selected security server 2460-2 to solicit to update theprivileged ID information (step S389).

The communication section 2462-2 (equivalent to “third input section”)of the security server 2460-2 receives this tag ID information id_(h),(accepts as an input) which is transmitted through the network 2070 andsends it to an encryptor 2467-2 (step S390). This triggers a keyselection by a key selector 2468-2, and such information is sent to aread/write section 2464-2 (step S391). In the present example, the keyselector 2468-2 selects an arbitrary key number i (such as a randomnumber) from natural numbers equal to or greater than 1 and equal to orless than n, and sends this key number i to the read/write section2464-2. The read/write section 2464-2 extracts key ID information kidsand the public key pk_(i) which correspond to the received key number Ifrom the key memory 2461-2, and sends them to the encryptor 2467-2 (stepS392). The encryptor 2467-2 encrypts (privileges) the tag ID informationid_(h) using the received public key pk_(i) (epk_(i)(id_(h))), andgenerates a new privileged ID information (sid_(h)′=(epk_(i)(id_(h)),kid_(i))) which comprises the encrypted text and the key ID informationkid_(i) (step S393). The generated privileged ID information sid_(h)′ issent to the communication section 2462-2, and the communication section2464-2 (equivalent to “third output section”) transmits (delivers) thisprivileged ID information sid_(h)′ to the client apparatus 2020 throughthe network 2070 (step S394).

The client apparatus 2020 receives the privileged ID information(sid_(h)′) (accepts as an input) by its communication section 2021(equivalent to “second input section”) (step S395), and transmits itthrough the interface 2022 to the tag device 2410 (step S396). The tagdevice 2460 stores the new privileged ID information sid_(h)′ in theconfidential value memory 2411 (step S397), and responds with the newprivileged ID information sid_(h)′ in response to a subsequent readdemand. Hereafter, the security server 2460-2 acts as the securityserver which controls the privileged ID information stored in the tagdevice 2410. Accordingly, a decryption of the new privileged IDinformation sid_(h)′ takes place in the security server 2460-2subsequently. Tag ID information id_(h) which represents a result ofdecrypting operation will be sent to the client apparatus 2020, thebackend apparatus 2050 or the like. A decryption of the privileged IDinformation sid_(h)′ in the security server 2460-2 takes place using thesecret key sk_(i) stored in a key memory 2461-2 (a secret keycorresponding to kid_(i), not shown).

<Features of Embodiment 18>

It will be seen that in the embodiment 18, privileged ID information isdecrypted by the security server 2460-1 which controls the privileged IDinformation in the tag device 2410, and the security server 2460-2 whichis separate generates new privileged ID information to update theprivileged ID information stored in the tag device 2410. In other words,an updating of the privileged ID information takes place simultaneouslywith changing the security server which controls the privileged IDinformation in the tag device 2410. This prevents a concentration ofinformation relating to a history of updating the privileged IDinformation in a single security server, allowing the risks ofinformation leaking from the security server and of a tort by a securityserver which is set up with a malignant intention to be alleviated. Bymaking the changed security server to be a local one which the publichas no access, a higher level of safety can be realized.

The updating system of the present embodiment may be constructed withthe common key encryption technique rather than the public keyencryption technique.

Alternatively the updating system of the present embodiment may beconstructed by applying the mode such as the embodiment 14 in which arandom value is used in the privileged ID information. In this instance,the new security server generates a random value in place of theencryption mentioned above, and adds the generated random value(privileged ID) and ID anew to the privileged ID memory as used in theembodiment 14.

EMBODIMENT 19

In an embodiment 19, re-privileging processing of the privileged IDinformation is performed by a client apparatus. Thus the clientapparatus functions as an updater. In this instance, the clientapparatus performs a re-privileging processing of the privileged IDinformation which is directly read out.

FIG. 41 is a block diagram illustrating a functional arrangement of anupdating system 2500 of the present embodiment and FIG. 42 is a flowchart for describing a processing procedure therefor. A functionalarrangement and a processing according to the present embodiment will bedescribed below with reference to these Figures. It should be noted thatcharacters as used in the embodiment 14 are applied to arrangements inFIG. 41 which are common with the embodiment 14. A distinction over theembodiment 14 will be principally described below.

<Pre-Processing>

The privileged ID information of the present embodiment is aninformation including an encrypted text formed with an encryptionalgorithm (the public key encryption technique) having the property ofre-encryption, and the key ID information which corresponds to thepublic key used in the encryption. In the present example, ElGamalencryption is used, and the privileged ID information in a tag device2510 is defined as sid_(h)=(g^(r), id_(h)·pk_(j) ^(r), kid_(j)).

This privileged ID information (sid_(h)=(g^(r), id_(h)·pk_(j) ^(r),kid_(j))) is stored in the memory 2511 of the tag device 2510 of thisexample. Each key ID information (kid₁, . . . , kid_(n)) and a publickey (pk₁, . . . , pk_(n)) are stored in the key memory 2524 of theclient apparatus 2520 (equivalent to “updater”) in a manner relating toeach other. An element of generation g is stored in a memory of aremainder multiplication calculator 2527.

Also in this example, an identical key ID information is allotted tounrelated tag devices. This prevents the variety of goods or aparticular one of goods from being identified on the basis of the key IDinformation.

<Privileged ID Updating Processing>

The client apparatus 2520 executes processings indicated below under thecontrol of a controller 2023.

In the similar manner as in the embodiment 14, initially the clientapparatus 2520 transmits a read command to the tag device 2510 (stepS400). The tag device 2510 extracts the privileged ID information(sid_(h)=(g^(r), id_(h)·pk_(j) ^(r), kid_(j))) from the memory 2511(step S401), and transmits it to the client apparatus 2520 (step S402).

This privileged ID information sid_(h) is received by the interface 2022of the client apparatus 2520 (step S403), and an encrypted text (g^(r),id_(h)·pk_(j) ^(r)) which constitute the privileged ID informationsid_(h) is sent to the remainder multiplication calculator 2528 (whichconstitutes an “encryptor”) while kid_(j) is sent to a read/writesection 2525. kid_(j) is also recorded in a memory 2023 a.

Upon receiving the key ID information kid_(j), the read/write section2525 extracts the public key pk_(j) which corresponds to this key IDinformation kid_(j) from the key memory 2524, and sends it to aremainder power calculator 2527 (which constitutes an “encryptor”) (stepS404). This triggers the random number generator 2526 to generate arandom number r′ which is equal to or greater than 0 or equal to or lessthan p−1, which is then sent to the remainder power calculator 2527(step S405). The remainder power calculator 2527 calculates (g^(r′),pk_(j) ^(r′)) using the element of generation g within its own memory,the received public key (pk_(j)) and the random number r′, and sends itsresult to the remainder multiplication calculator 2528 (step S406). Theremainder multiplication calculator 2528 calculates (g^(r+r′),id_(h)·pk_(j) ^(r+r′)) using received (g^(r′), pk_(j) ^(r′)) and (g^(r),id_(h)·pk_(j) ^(r)), and sends a result of calculation as a newencrypted text to the interface 2022 (step S407). The interface 2022transmits (delivers) the encrypted text (g^(r+r′), id_(h)·pk_(j)^(r+r′)) which is sent thereto and key ID information kid_(j) in thememory of the interface 2022 as new privileged ID information(sid′_(h)=(g^(r+r′), id_(h)·pk_(j) ^(r+r′), kid_(j))) (step S408).

The transmitted new privileged ID information sid_(h)′ is received bythe interface 2013 of the tag device 2510, and is stored in the memory2511 through the read/write section 2012 (step S409). Subsequently, inresponse to a read demand, the tag device 2510 responds with this newprivileged ID information sid_(h)′.

<Features of Embodiment 19>

In the embodiment 19, the client apparatus 2520 re-privileges theprivileged ID information within the tag device 2510. The clientapparatus 2520 applies the re-privileging processing only to theprivileged ID information which is directly read out by the interface2022. This suppresses a leakage of information to a third party,securing a higher level of safety.

While the public key (pk₁, . . . , pk_(n)) is stored in the key memory2524 of the security server 2520 in the present embodiment, anarrangement may be used in which the security server 2520 does not carrythe public key (pk₁, . . . , pk_(n)), but acquires the public key (pk₁,. . . , pk_(n)) from a given public key server for use.

The arrangement of the security server shown in either mode from theembodiment 14 to the embodiment 16 may be applied to the clientapparatus 2520 to execute processings of the present embodiment.

EMBODIMENT 20

An embodiment 20 will now be described.

In this embodiment, a client apparatus (equivalent to “updatesolicitor”) previously acquires a plurality of privileged IDinformation, and selects one therefrom to be used in updating theprivileged ID information within the tag device.

FIG. 43 is a block diagram illustrating a functional arrangement of anupdating system 2600 of the present embodiment, and FIG. 44 is a flowchart for describing a processing procedure therefor. A functionalarrangement and a processing of the present embodiment will be describedbelow with reference to these Figures. It is to be noted that in FIG.43, arrangements which are common with the embodiment 14 are designatedby like characters as used in the embodiment 14. A distinction over theembodiment 14 will be principally described below.

<Pre-Processing>

Initially, the communication section 2021 (equivalent to “privileged IDinput section”) of the client apparatus 2620 receives (accepts as input)a plurality of kinds of privileged ID information (sid_(h)−1, . . . , p)which are sent through the network 2070 (step S410). The plurality ofkinds of privileged ID information (sid_(h)−1, . . . , p) are thosewhich are obtained by repeating the method described in either one ofthe embodiment 14 to the embodiment 17 or by transmitting a plurality ofkinds of privileged ID information in one operation from the securityserver 2660. When utilizing the method of the embodiment 14, it isnecessary that a plurality of privileged ID information (sid_(h)−1, . .. , p) be stored in the privileged ID memory of the security server 2660for one tag ID information. By contrast, when utilizing the method ineither one of the embodiment 15 to embodiment 17, information which isstored in the security server 2660 may be similar to one of theembodiment 15 to the embodiment 17.

The communication section 2021 sends these privileged ID information(sid_(h)−1, . . . , p) to the read/write section 2624, which then storethem in the privileged ID memory 2625 (step S411).

<Privileged ID Updating Processing>

The client apparatus 2620 executes the processings described below underthe control of the controller 2023.

Initially, the controller 23 determines whether or not there existed agiven trigger (opportunity) to update the privileged ID information(step S412). What can be cited as such a trigger are that the privilegedID information has been read from the tag device 2610, that a countindicating a number of times the privileged ID information within thetag device 2610 has been used has reached a given value or the like. Inthe absence of a given trigger, a determination rendered at step S412 iscontinued, and in the presence of a given trigger, the read/writesection 2624 (equivalent to “privileged ID extractor”) extracts oneprivileged ID information sid_(h)-j from the privileged ID memory 2625(step S413). The selection of this one privileged ID informationsid_(h)−j may take place at random, or may be in the sequence of anarray in the manner of sid_(h)−1, sid_(h)−2, . . . and returning tosid_(h)−1 again after sid_(h)−p. The extracted one privileged IDinformation sid_(h)−j is sent from the read/write section 2624 to theinterface 2022 (equivalent to “privileged ID output section”), andthence transmitted (delivered) to the tag device 2610 (step S414).

The tag device 2610 receives this privileged ID information sid_(h)-j atits interface 2013 (step S415), and stores it in a confidential valuememory 2611 through the read/write section 2012 (step S416).Subsequently, the tag device 2610 responds with this new privileged IDinformation sid_(h)′ in response to a read command from the reader.

<Features of Embodiment 20>

In the present embodiment, a plurality of kinds of privileged IDinformation are previously stored in the client apparatus 2620, and theprivileged ID information in the tag device 2610 is updated by theprivileged ID information which is selected from the stored ones. Theselection of the privileged ID information which is used in updatingtakes place within the client apparatus 2620, and its transmission takesplace locally between the client apparatus 2620 and the tag device 2610.Accordingly, a leakage of information to a third party can besuppressed, securing a higher level of safety. If the transmission ofthe plurality of kinds of privileged ID information takes place in oneoperation from the security server 2660 to the client apparatus 2620, anumber of times the security server 2660 is accessed can be reduced,thus alleviating a degradation in the performance of the system which isassociated with the updating processing of the privileged IDinformation.

It should be noted that the opportunity for selecting/storing theprivileged ID information is not limited to the one mentioned above, andan arrangement may be used in which after the privileged ID informationstored in the client apparatus 2620 have been exhausted, a plurality ofkinds of privileged ID information may be acquired again from thesecurity server 2660 to be stored in the client apparatus 2620.

EMBODIMENT 21

An embodiment 21 will now be described.

This embodiment is a modification of the embodiment 20, and differs fromthe embodiment 20 in that the client apparatus acquires the privilegedID information delivered from a plurality of security servers(“updaters”).

FIG. 45 is a block diagram illustrating a functional arrangement of anupdating system 2770 of the present embodiment. A functional arrangementand a processing of the present embodiment will be described below withreference to this Figure. It is to be noted that in FIG. 45,arrangements which are common with the embodiment 14 or the embodiment20 are designated by like character as used in the embodiment 14 or theembodiment 20. Only a distinction over the embodiment 20 will bedescribed below.

<Pre-Processing>

The only difference over the embodiment 20 resides in that a clientapparatus 2620 receives a plurality of kinds of privileged IDinformation (sid_(h)−1, . . . , p) which are sent from a plurality ofsecurity servers 2760-1, 2760-2, . . . , 2760-p. Privileging of ID inthe plurality of security servers 2760-1, 2760-2, . . . , 2760-p takesplace according to the method of the embodiment 18, for example.

<Privileged ID Updating Processing>

This remains to be similar to the embodiment 20.

<Features of Embodiment 21>

In the present embodiment, the client apparatus 2620 acquires theprivileged ID information which is generated by the plurality ofsecurity servers 2760-1, 2760-2, . . . , 2760-p. Accordingly, aconcentration of the history of updating the privileged ID informationin one security server can be prevented, realizing a higher level ofsafety.

As mentioned above, when the method of the embodiment 14 is utilized togenerate privileged ID information in the embodiment 20, there has beena need to hold a plurality of privileged ID information (sid_(h)−1, . .. , p) for one key ID information in the privileged ID memory of thesecurity server. However, in the present embodiment, even though themethod of the embodiment 14 is utilized to generate privileged IDinformation, the privileged ID information which is controlled by eachsecurity server may be only one privileged ID information for one key IDinformation. In this respect, a control of the privileged ID informationcan be simplified.

EMBODIMENT 22

An embodiment 22 will now be described.

This embodiment is a modification of the embodiment 20 and theembodiment 21, and in this modification, a plurality of privileged IDinformation which are acquired is stored in a tag device rather than ina client apparatus.

FIG. 46 is a block diagram illustrating a functional arrangement of anupdating system 2800 of the present embodiment. A functional arrangementand a processing of the present embodiment will be described below withreference to this Figure. It is to be noted that in FIG. 46,arrangements which are common with the embodiment 14 are designated bylike characters as used in the embodiment 14. A distinction over theembodiment 14, the embodiment 20 and the embodiment 21 will beprincipally described below.

<Pre-Processing>

Initially, a communication section 2021 of a client apparatus 2020receives a plurality of kinds of privileged ID information (sid_(h)−1, .. . , p) which are sent through the network 2070. The plurality of kindsof privileged ID information (sid_(h)−1, . . . , p) which are receivedare sent to an interface 2022, and thence transmitted to a tag device2810.

The tag device 2810 receives (accepts as input) the plurality of kindsof privileged ID information (sid_(h)−1, . . . , p) at its interface2013 (equivalent to “privileged ID input section”), and sends them to aread/write section 2012, which then stores them in a privileged IDmemory 2811. It is to be noted that the privileged ID information(sid_(h)−1, . . . , p) may be ones which are sent from a single securityserver or ones which are delivered from a plurality of security servers.

<Privileged ID Updating Processing>

The read/write section 2012 of the tag device 2810 (equivalent to“privileged ID extractor”) extracts one privileged ID information(sid_(h)−j) arbitrarily (for example, at random) from the privileged IDmemory 2811 under the control of a controller 2014 in response to atrigger (opportunity) which may be a read command from a reader, forexample, and transmits it from an interface 2013. The transmittedprivileged ID information (sid_(h)−j) is used in a processing by thebackend apparatus as described above in connection with the embodiment14.

<Features of Embodiment 22>

In the present embodiment, a plurality of kinds of privileged IDinformation (sid_(h)−1, . . . , p) are stored in the tag device 2810,and one privileged ID information (sid_(h)−j) which is selectedtherefrom is used. This avoids that the privileged ID information whichis used in the acquisition of information relating to ID be identicalwith each other during each run, thus allowing a tracing of the tagdevice 2810 to be suppressed. Since the plurality of kinds of privilegedID information (sid_(h)−1, . . . , p) are stored in the tag device 2810itself, the privileged ID information which is used can be updated if anaccess to the client apparatus 2020 cannot be made (as when a readingprocessing is performed in a tag reader which does not have the functionof a client apparatus 2020, for example).

EMBODIMENT 23

In this embodiment, a tag device is provided with a confidential valuememory having a read-only region in which key ID information is storedand a rewritable region in which a first privileged ID information isstored. When re-privileging processing of the privileged ID informationis made, key ID information and the first privileged ID information areextracted from the privileged ID memory to be delivered.

An updater accepts the key ID information and the first privileged IDinformation as inputs, and extracts a key which corresponds to the keyID information. Using the extracted key and the first privileged IDinformation, it generates a second privileged ID information, theassociation with the first privileged ID information of which isdifficult to follow, and this second privileged ID information isdelivered.

A tag device accepts the second privileged ID information as an inputand stores the second privileged ID information which is input in therewriteable region of the privileged ID memory.

What is updated by the updater is only the privileged ID information.And what is rewritten in the tag device is only the privileged IDinformation in the rewritable region, and there is no change in the keyID information in the read-only region. Accordingly, if the privilegedID information in the rewritable region is rewritten to a privileged IDinformation which corresponds to a different tag device, the key IDinformation which is used in a decrypting processing of the privilegedID information remains unchanged from the original key ID information.For this reason, a decrypting server which is selected when decryptingthe rewritten privileged ID information is a decrypting server which isselected on the basis of the original key ID information, for example,and it is possible that a decrypting processing of the rewrittenprivileged ID information may not be appropriately achieved. If thedecrypting server were in common, the key which is used in thedecrypting processing of the rewritten privileged ID information is thekey which corresponds to the original key ID information, andaccordingly, a decrypted result may become extraordinary.

This embodiment will be described below with reference to the drawings.

FIG. 47 is a conceptual view illustrating an overall arrangement of anupdating system 3000 of this embodiment.

As illustrated in this Figure, an updating system 3000 comprises a tagdevice 3010 such as a radio tag or the like which is applied to goods, aclient apparatus 3020, a backend apparatus 3050 which controls productsdistribution information or the like which relates to ID in plain text,a security server 3060 which performs a re-privileging processing ofprivileged ID information, and a security server 3070 which performs arestoration processing of ID. The client apparatus 3020, the backendapparatus 3050 and the security servers 3060 and 3070 are connectedtogether to enable a communication therebetween through a network 3080such as internet or the like. For brevity of description, in thisFigure, the tag device 3010, the client apparatus 3020, the backendapparatus 3050 and the security servers 3060 and 3070 are each shown foronly one, but it is to be noted that a plurality of tag devices arenormally provided and that more than one client apparatus, backendapparatus and security servers may also be provided. In addition, thesecurity servers 3060 and 3070 may be replaced by a security serverwhich has the both functions of the security servers 3060 and 3070.

In the client apparatus 3020 of this example, it reads privileged IDinformation from the tag device 10 and sends it to the security server3070. The security server 3070 restores ID from the privileged IDinformation, and returns this ID to the client apparatus 3020. Uponreceiving ID, the client apparatus 3020 accesses the backend apparatus3050 to demand an entry of information including ID, a date and time ofreading, a location of reading, a temperature or the like and anacquisition of information relating to ID. Also, a mode of utilizing aproxy model may be contemplated in which the client apparatus 3020transmits the privileged ID information to the security server 3070,which then directly accesses the backend apparatus 3050.

At a given opportunity, the privileged ID information within the tagdevice 3010 is subjected to re-privileging processing in the securityserver 3060 (namely, updating the privileged ID information into aseparate privileged ID information), whereby the privileged IDinformation within the tag device 3010 is updated. In order to secure anopportunity to update the privileged ID information in a positivemanner, the client apparatus 3020 may be located at the porch of ahouse. In this instance, each time a user who carries the tag devicepasses through the porch, the client apparatus 3020 reads the privilegedID information within tag device 3010, which is re-privileged by thesecurity server 3060 to be written into the tag device again.

The present embodiment is characterized in that the tag device 3010 isprovided with privileged ID memory including a read-only region in whichkey ID information is stored and a rewritable region in which privilegedID information is stored, and that while the re-privileged privileged IDinformation is written into the rewritable region, the read-only regionin which the key ID information is stored is not updated. It is to benoted that the privileged ID information which is stored in therewritable region does not contain key ID information.

<Functional Arrangement/Processing>

FIG. 48 is an illustration of a functional arrangement of an updatingsystem 3000 of the present embodiment, and FIGS. 49 and 50 are flowcharts for describing a processing procedure therefore. A functionalarrangement and a processing of the present embodiment will be describedbelow with reference to these Figures. A description of the backendapparatus will be omitted in connection FIG. 48 and subsequent Figures.The tag device 3010, the client apparatus 3020 and the security servers3060 and 3070 execute respective processings under the control ofcontrollers 3014, 3023, 3065 and 3075, respectively. Data which areprocessed are sequentially stored in memories 3014 a, 3023 a, 3065 a or3075 a, and is accessed when a processing such as a calculation isperformed, but will be omitted from the description to follow.

<Pre-Processing>

In this mode, an encrypted text formed according to an encryptionalgorithm having the property of re-encryption (public key encryptiontechnique) is used as privileged ID information. In this example,elliptical ElGamal encryption is used.

As shown in FIG. 48, the tag device 3010 of this example has aconfidential value memory 3011 including a read-only region 3011 a and arewritable region 3011 b. As a confidential value memory 3011, arewritable memory such as rewritable ROM (Read Only Memory) such asEEPROM may be used, and given regions thereof may be allotted to theread-only memory 3011 a and the rewritable region 3011 b. Alternatively,a memory such as ROM which cannot be rewritten may be used to constructthe read-only region 3011 a while a rewritable memory such as EEPROM maybe used to construct the rewritable region 3011 b. Key ID informationkid_(j) which specifies a secret key sk_(j) and a public key pk_(j) isstored (recorded) in the read-only region 3011 a, and privileged IDinformation sid_(h)=(g^(r), id_(h)·pk_(j) ^(r)) is stored in therewritable region 3011 b.

An element of generation g is stored in the memory 3065 a of thesecurity server 3060 (“updater”), and each key ID information (kid₁, . .. , kid_(n)), a secret key (sk₁, . . . , sk_(n)) and a public key (pk₁,. . . , pk_(n)) are stored in the key memory 3071 of the security server3070 (equivalent to “decryptor”) in a manner relating to each other.

In this example, it is assumed that a total number m of tag devices issufficiently greater than a total number n of keys (m

n), and an identical key ID information is allotted to unrelated tagdevices. Specifically, rather than allotting an identical key IDinformation to tag devices which are applied to goods of the samevariety, for example, an identical key ID information is allotted to tagdevices which are applied to unrelated goods. This allows preventing tagdevices, the variety of goods or a particular one of goods from beinguniquely identified on the basis of the key ID information.

<Privileged ID Decrypting Processing>

Initially, a decrypting processing of privileged ID information which isperformed when demanding a backend apparatus 50 to acquire informationrelating to ID will be described.

Initially, utilizing some sort of authentication technology, a mutualauthentication is performed between the client apparatus 3020 and thesecurity server 3070. It is to be noted that a communication between theclient apparatus 3020 and the security server 3070 takes place by usingan encryption according to some encryption technique.

The client apparatus 3020 then transmits a read command to the tagdevice 3010 from its interface 3022 (step S501). This read command isreceived by an interface 3013 of the tag device 3010, and this triggersa read/write section 3012 to extract key ID information kid_(j) from theread-only region 3011 a of the confidential value memory 3011 and toextract privileged ID information sid_(h) from the rewritable region3011 b (step S502). The extracted privileged ID information sid_(h) andthe key ID information kid_(j) are transmitted to the client apparatus3020 through the interface 3013 (step S503), and are received by theinterface 3022 of the client apparatus 3020. The client apparatus 3020identifies an address of the security server 3070 from the received keyID information kid_(j), for example, and transmits the privileged IDinformation sid_(h) and key ID information kid_(j) to the securityserver 3070 from its communication section 3021 through a network 3080(step 504).

The transmitted privileged ID information sid_(h) and key ID informationkid_(j) are received by a communication section 3072 (equivalent to“privileged ID input section”) of the security server 3070 (accepted asinputs) (step S505), and the privileged ID information sid_(h) is fed toa decryptor 74 (equivalent to “ID calculator”) while the key IDinformation kid_(j) is fed to a read/write section 3073. The read/writesection 3073 (equivalent to “key extractor”) extracts a secret keysk_(j) which corresponds to the key ID information kid_(j) which is sentthereto from a key memory 3071, and sends it to the decryptor 3074 (stepS506). The decryptor 3074 calculates a tag ID information id_(h) whichis decrypted from the privileged ID information sid_(h) using theprivileged ID information sid_(h) and the secret key sk_(j) which aresent thereto. In this example, the tag ID information id_(h) iscalculated by a calculation of id_(h)=(id_(h)·pk_(j)^(r))/(g^(r))^(skj). It is to be noted that the index “skj” in thiscalculation formula means “sk_(j)”. The calculated tag ID informationid_(h) is sent to the communication section 3072, which then transmitsit toward the client apparatus 3020 through the network 3080 (stepS508). The client apparatus 3020 receives the transmitted tag IDinformation id_(h) at its communication section 3021 (step S509), andutilizes this tag ID information id_(h) for a subsequent inquiry to thebackend apparatus 3050.

<Privileged ID Updating Processing>

Privileged ID information updating processing in the present embodimentwill now be described.

Initially, using some sort of authentication technology, a mutualauthentication is made between the client apparatus 3020 and thesecurity server 3060. It is to be noted that a communication between theclient apparatus 3020 and the security server 3060 takes place in anencrypted form according to some encryption technique.

Privileged ID information updating processing in this example isinitiated at an arbitrary opportunity such as a passage of a userthrough a location such as a front porch which he never fails to passwhen leaving the house or at a number of uses of privileged IDinformation stored in the tag device 3010 (such as a count reaching agiven value), which acts as a trigger. In response to this trigger, theclient apparatus 3020 transmits a read command to the tag device 3010from its interface 3022 (step S511). This read command is received bythe interface 3013 of the tag device 3010, and this triggers theread/write section 3012 (equivalent to “privileged ID extractor”) toextract key ID information kid_(j) from the read-only region 3011 a ofthe confidential value memory 3011 and to extract privileged IDinformation sid_(h) from the rewritable region 3011 b (step S512). Theextracted privileged ID information sid_(h) and key ID informationkid_(j) are transmitted (delivered) through the interface 3013(equivalent to “privileged ID extractor”) to the client apparatus 3020(step S513), and are received by the interface 3022 of the clientapparatus 3020, which then transmits the received privileged IDinformation sid_(h) and key ID information kid_(j) to the securityserver 3060 through the communication section 3021 and the network 3080(step 514).

The security server 3060 receives (accepts as inputs) the privileged IDinformation sid_(h) and the key ID information kid_(j) at itscommunication section 3061 (equivalent to “privileged ID input section”)(step S515), and sends the privileged ID information (sid_(h)=(g^(r),id_(h)·pk_(j) ^(r))) to the remainder multiplication calculator 3064(which constitutes “privileged ID updating section”). The communicationsection 3061 (equivalent to “key extractor”) transmits this key IDinformation kid_(j) together with a demand to acquire a public key tothe security server 3070 through the network 3080.

The security server 3070 receives them at its communication section3072, and sends the key ID information kidj to the reader 3073. Thereader 3073 extracts a public key pk_(j) which corresponds to this keyID information kid_(j) from the key memory 3071, and returns theextracted public key pk_(j) to the security server 3060 through thecommunication section 3072 and the network 3080.

The security server 3060 receives (extracts) this public key pk_(j) atits communication section 3061, and sends it to the remainder powercalculator 3063 (which constitutes “privileged ID updating section”)(step S516). This triggers, for example, a random number generator 3062to generate a random number r′ which is equal to or greater than 0 andequal to or less than p−1 and to send it to the remainder powercalculator 3063 (step S517). The remainder power calculator 3063calculates (g^(r′), pk_(j) ^(r′)) using the element of generation gwithin the memory 3065 a, the received public key pk_(j) and the randomnumber r′, and sends a result of the calculation to the remaindermultiplication calculator 3064 (step S518). The remainder multiplicationcalculator 3064 calculates (g^(r+r′), id_(h)·pk_(j) ^(r+r′)) usingreceived (g^(r′), pk_(j) ^(r′)) and (g^(r), id_(h)·pk_(j) ^(r)), andsends a result of this calculation (an encrypted text) as new privilegedID information to the communication section 3061 (step S519). Thecommunication section 3061 (equivalent to “privileged ID outputsection”) transmits (delivers) the privileged ID information(sid_(h)′=(g^(r+r′, id) _(h)·pk_(j) ^(r+r′))) (privileged ID informationsid′, the association of which with the privileged ID information(sid_(h)′) before updating is difficult to follow) to the clientapparatus 3020 through the network 3080 (step S520).

The transmitted new privileged ID information sid_(h)′is received by thecommunication section 3021 of the client apparatus 3020, and istransmitted from its interface 3022 to the tag device 3010 (step S521).The tag device 3010 receives (accepts as input) this new privileged IDinformation sid_(h)′ at its interface 3013 (equivalent to “privileged IDinput section”) (step S522), and its read/write section 3012 (equivalentto “privileged ID storage”) stores this new privileged ID informationsid_(h)′ in the rewritable region 3011 b of the memory 3011 (step S523).The tag device 3010 responds with this new privileged ID informationsid_(h)′ in response to a subsequent read demand.

<Features of Embodiment 23>

In the present embodiment, there is provided the confidential valuememory 3011 having the read-only region 3011 a in which key IDinformation is stored and the rewritable region 3011 b in which theprivileged ID information is stored, and only the privileged IDinformation stored in the rewritable region 3011 b is re-privileged tobe updated. Accordingly, if privileged ID information of a separate tagdevice were written into the rewritable region 3011 b whenre-privileging the privileged ID information, it is possible to detectsuch an irregularity/mistake.

By way of example, referring to FIG. 48, an instance is considered inwhich privileged ID information (g^(r), ID₂·pk₁ ^(r)) of a separate tagdevice which corresponds to key ID information kid₁ is stored in therewritable region 3011 b of the confidential value memory 3011 of thetag device 3010. Even in this instance, key ID information which isstored in the read-only region 3011 a remains to be kid_(j), and thesecret key which is extracted from the key memory 3071 by the reader3073 during the decrypting processing of the security server 3070 issk_(j) which corresponds to kid_(j). Accordingly, a result of decryptionfrom the decryptor 3074 is (id₂·pk₁^(r))/(g^(r))^(skj)=(id₂·(g^(sk1))^(r))/(g^(r))^(skj)=ID₂·g^(sk1)/g^(skj),whereby a result of calculation indicates an extraordinary data.Accordingly, a decrypted result represented by extraordinary data allowsa detection of the fact that the privileged ID information of a separatetag device has been written into.

Since a wrong rewriting of privileged ID information can be preventedwithout a control as by password of an access to the rewritable region3011 b, the cost for the control circuit can be suppressed whiledispensing with a complex password control for purpose of an accesscontrol.

Specifically, this enables an updating of privileged ID information atan arbitrary timing to be executed in a more reliable and safe mannerand at a reduced cost, permitting a protection of the privacy of the tagdevice 3010.

It is added that while privileged ID information is generated andupdated using elliptical ElGamal encryption in the present embodiment,an encryption having the property of re-encryption or re-privilegingtechnique disclosed in Patent Application No. 2003-359157 may also beused. In addition, the security servers 3060 and 3070 may be unified,and in addition, the security server 3060 may be provided with a memoryfor the public key.

EMBODIMENT 24

The present embodiment is a modification of the embodiment 23, in whicha confirmation is made to see whether or not a result of decryptingprivileged ID information has any contradiction with the format of ID,thereby confirming whether or not privileged ID information which isdelivered from the tag device is wrong. A distinction over theembodiment 23 will be principally described below while omitting adescription of matters which are common with the embodiment 23.

FIG. 51 is an illustration of a functional arrangement of a securityserver 3170 (equivalent to “decryptor”) of the present embodiment, andFIG. 52 illustrates a format of tag ID information 3200 used in thepresent embodiment. FIG. 53 is a flow chart for describing a processingprocedure by the security server 3170. It is to be noted that functionalarrangements which are common with the embodiment 23 are designated inFIG. 51 by like characters as used in the embodiment 23.

<An Overall Arrangement/Hardware Arrangement>

The arrangement is similar to the embodiment 23 except that the securityserver 3070 is replaced by the security server 3170.

<Pre-Processing>

A distinction over the embodiment 23 lies in that an effective value ofeach field of ID is stored in an effective value memory 3176 of thesecurity server 3170. In other respects, the process is similar as inthe embodiment 23.

<Privileged ID Decrypting Processing>

A distinction over the embodiment 23 resides in substituting aprocessing illustrated in FIG. 53 by the security server 3170 for theprocessing by the security server 3070 mentioned above (FIG. 49: stepsS505˜S508). Only the processing by the security server 3170 will bedescribed below while omitting a description for other processing.

In the similar manner as in the embodiment 23, privileged ID informationsid_(h) and key ID information kid_(j) transmitted from a clientapparatus 3020 are received by a communication section 3072 (equivalentto “privileged ID input section”) of the security server 3170 (acceptedas inputs) (step S531) and the privileged ID information sid_(h) is sentto a decrypting section 3074 (equivalent to “ID calculator”) while keyID information kid_(j) is sent to a reader section 3073. The readersection 3073 (equivalent to “key extractor”) extracts a secret keysk_(j) which corresponds to the key ID information kid_(j) which is sentthereto, and sends it to the decrypting section 3074 (step S532). Thedecrypting section 3074 calculates the tag ID information id_(h) whichis decrypted from privileged ID information sid_(h) using privileged IDinformation sid_(h) which is sent thereto and the secret key sk_(j).

The calculated tag ID information id_(h) is sent to an ID structureverifier 3177 where the structure of the tag ID information id_(h) isverified (step S534). As illustrated in FIG. 52, ID3200 of this examplehas fields including a header (h) 3210, a version code (vc) 3202, amanufacturer code (mc) 3203, a products code (pc) 3204 and a serial code(sc) 3205. An effective value which each field can assume is stored inan effective value memory 3176, and the ID structure verifier 3177compares a value of each field in the received tag ID information id_(h)against an effective value which is extracted from the effective valuememory 3176 to verify whether or not the value of each field in thereceived tag ID information id_(h) is within a range for the effectivevalue. Upon a successful verification (step S535), the ID structureverifier 3177 sends the tag ID information id_(h) to the communicationsection 3072, which then transmits the tag ID information id_(h) to theclient apparatus 3020 (step S536). On the other hand, when theverification is unsuccessful (step S535), the ID structure verifier 3177destroys the tag ID information id_(h), terminating the processingoperation.

<Features of Embodiment 24>

In the present embodiment, an arrangement is made for the ID structureverifier 3177 of the security server 3170 to verify whether or not thedecrypted tag ID information id_(h) has no contradiction with a given IDformat. This allows extraordinary which may result from decrypting aprivileged ID information which is attributable to a writing ofprivileged ID information of a different tag device into the rewritableregion of the tag device to be discovered in a reliable manner.

EMBODIMENT 25

The present embodiment is a modification of the embodiment 23, and adistinction over the embodiment 23 resides in that during are-privileging processing of privileged ID information, a secret key isapplied to the key ID information and re-privileged privileged IDinformation to attach authentication information such as a digitalsignature, MAC or the like. A distinction over the embodiment 23 will beprincipally described below while omitting a description for othermatters which are common with the embodiment 23.

FIGS. 54 and 55 illustrate functional arrangements of an updating system3300 of the present embodiment, and FIGS. 56 and 57 are flow charts fordescribing a processing procedure. It is to be noted that in FIGS. 54and 55, functional arrangements which are common with the embodiment 23are designated by like characters as used in the embodiment 23.

<An Overall Arrangement/Hardware Arrangement>

The arrangement is similar to the embodiment 23 except that a tag device3310 is substituted for the tag device 3010, a security server 3360(equivalent to “updater”) is substituted for the security server 3060,and a security server 3370 (equivalent to “decryptor”) is substitutedfor the security server 3070.

<Pre-Processing>

Distinctions over the embodiment 23 reside in that privileged IDinformation sid_(h) and a digital signature (equivalent to “verificationinformation”) are stored in a rewritable region 3311 b of a confidentialvalue memory 3311 of the tag device 3310 and that the secret key sk_(j)and the public key pk_(i) used in the digital signature are stored in akey memory 3366 of the security server 3360. In other respects, thearrangement is similar to the embodiment 23.

<Privileged ID Updating Processing>

Privileged ID information updating processing of the present embodimentwill now be described.

Initially, a client apparatus 3020 transmits a read command to the tagdevice 3310 from its interface 3022 (step S541). The read command isreceived by an interface 3013 of the tag device 3310, and this triggersa read/write section 3012 to extract key ID information kid_(j) from aread-only region 3011 a of the confidential value memory 3311 and toextract privileged ID information sid_(h) from the rewritable region3311 b (step S542). The extracted privileged ID information sid_(h) andkey ID information kid_(j) are transmitted to the client apparatus 3020through the interface 3013 (step S543), and are received by theinterface 3022 of the client apparatus 3020. The client apparatus 3020transmits the received privileged ID information sid_(h) and key IDinformation kid_(j) to the security server 3360 through a communicationsection 3021 and a network 3080 (step 544).

The security server 3360 receives the privileged ID information sid_(h)and the key ID information kid_(j) at its communication section 3061(step S545), and sends the privileged ID information (sid_(h)=(g^(r),id_(h)·pk_(j) ^(r))) to a remainder multiplication calculator 3064. Inthe similar as in the embodiment 23, the communication section 3061transmits the key ID information kid_(j) to the security server 3370where the extracted public key pk_(j) is acquired (received) (stepS546). This public key pk_(j) is sent to a remainder power calculator3063, and a random number r′ which is generated in a random numbergenerator 3062 (step S547) is also sent to the remainder powercalculator 3063. The remainder power calculator 3063 calculates (g^(r′),pk_(j) ^(r′)), and sends a result of calculation to the remaindermultiplication calculator 3064 (step S548), which then calculates(g^(r+r′), id_(h)·pk_(j) ^(r+r′)), and sends this result of calculationas new privileged ID information to the communication section 3061 and asignature generator 3368 (step S549). This triggers a reader 3367 toextract a secret key sk from the key memory 3366 and to send it to thesignature generator 3368 (step S550). The signature generator 3368(equivalent to “verification information generator”) also receives thekey ID information kid_(j) from the communication section 3061 togenerate a bit combination data (g^(r+r′)|id_(h)·pk_(j) ^(r+r′)|kid_(j))of g^(r+r′), id_(h)·pk_(j) ^(r+r′) and kid_(j), for example, andgenerates a digital signature (equivalent to “verification information”)σ′=E_(sk)(g^(r+r′)|id_(h)·pk_(j) ^(r+r′)|kid_(j)) which is formed byencrypting the bit combination data with the secret key sk (step S551).The generated new digital signature σ′ is sent to the communicationsection 3061 (equivalent to “privileged ID output section”), whichtransmits (delivers) the new privileged ID information(sid_(h)′=(g^(r+r′), id_(h)·pk_(j) ^(r+r′))) which is previously sentthereto and the new digital signature σ′ to the client apparatus 3020through the network 3080 (step S552).

The new privileged ID information sid_(h)′ and the digital signature σ′which have been transmitted are received by the communication section3021 of the client apparatus 3020 and are transmitted from the interface3022 to the tag device 3310 (step S553). The tag device 3310 receives(accepts as inputs) the new privileged ID information sid_(h)′ and thedigital signature σ′ at its interface 3013 (equivalent to “privileged IDinput section”) (step S554), and the read/write section 3012 (equivalentto “privileged ID storing section”) stores the new privileged IDinformation sid_(h)′ and the digital signature σ′ in the rewritableregion 3311 b of the confidential value memory 3311 (step S555).Subsequently, the tag device 3310 responds with the new privileged IDinformation sid_(h)′ and the digital signature σ′ in response to a readdemand.

<Privileged ID Decrypting Processing>

Privileged ID information decrypting processing according to the presentembodiment will now be described.

Initially, the client apparatus 3020 transmits a read command to the tagdevice 3310 from its interface 3022 (step S561). This read command isreceived by the interface 3013 of the tag device 3310, and this triggersthe read/write section 3012 to extract key ID information kid_(j) fromthe read-only region 3011 a of the confidential value memory 3311 and toextract privileged ID information sid_(h)′ and digital signature σ′ fromthe rewritable region 3311 b (step S562). The extracted privileged IDinformation sid_(h)′, digital signature a′ and key ID informationkid_(j) are transmitted to the client apparatus 3020 from the interface3013 (step S563), and are received by the interface 3022 of the clientapparatus 3020. The client apparatus 3020 transmits such informationfrom the communication section 3021 to the security server 3370 throughthe network 3080 (step 564).

The transmitted privileged ID information sid_(h)′, digital signature σ′and key ID information kid_(j) are received by the communication section3072 (equivalent to “privileged ID input section”) of the securityserver 3370 (accepted as inputs) (step S565), the digital signature σ′is fed to a signature verifier 3376, the privileged ID informationsid_(h) is fed to a decryptor 3074 (equivalent to “ID calculator”) andthe signature verifier 3376, and the key ID information kid_(j) is fedto a reader 3073 and the signature verifier 3376.

The communication section 3072 also sends a public key acquisitiondemand to the security server 3360 through the network 3380, and thesecurity server 3360 receives it at its communication section 3061 andcauses its reader 3367 to extract the public key pk from the key memory3363 and returns the public key pk through the communication section3061 and the network 3080. The public key pk is received by thecommunication section 3072 of the security server 3370 (step S566) andis then sent to the signature verifier 3376.

The signature verifier 3376 decrypts the received digital signature a′using the public key pk (D_(pk)(σ′)), and generates a bit combinationdata (g^(r+r′)|id_(h)·pk_(j) ^(r+r′)|kid_(j)) of g^(r+r′), id_(h)·pk_(j)^(r+r′) and kid_(j). It then verifies the digital signature σ′ by seeingwhether or not D_(pk)(σ′) is equal to (g^(r+r′)|id_(h)·pk_(j)^(r+r′|kid) _(j)) (step S567). In the event D_(pk)(σ′)=(g^(r+r′)|id_(h)pk_(j) ^(r+r′|kid) _(j)) does not apply, the processing is terminated asa failure of verification. On the other hand, ifD_(pk)(σ′)=(g^(r+r′)|id_(h)·pk_(j) ^(r+r′)|kid_(j)) does apply, aread/write section 3073 (equivalent to “key extractor”) extracts asecret key sk_(j) which corresponds to the key ID information kid_(j)which is sent thereto from a key memory 3071, and sends it to thedecryptor 3074 (step S568). Using the privileged ID information sid_(h))and the secret key sk_(j) which are sent thereto, the decryptor 3074calculates tag ID information id_(h) which is decrypted from theprivileged ID information sid_(h)′ (id_(h)=(id_(h)·pk_(j)^(r+r′))/(g^(r+r′))^(skj))) (step S569). It is to be noted that theindex “skj” appearing in this calculation formula refers to “sk_(j)”.The calculated tag ID information id_(h) is sent to the communicationsection 3072, which then transmits it to the client apparatus 3020through the network 3080 (step S570). The client apparatus 3020 receivesthe transmitted tag ID information id_(h) at its communication section3021 (step S571), and utilizes this tag ID information id_(h) in itssubsequent inquiry to the backend apparatus 3050.

<Features of Embodiment 25>

In this embodiment, an arrangement is made that during re-privilegingprocessing, a digital signature σ′=E_(sk)(g^(r+r′)|id_(h)·pk_(j)^(r+r′)|kid_(j)) is generated in the security server 3360, and thisdigital signature σ′ is verified by the security server 3370 during thedecrypting processing. Accordingly, during the decrypting processing,the authenticity of privileged ID information which is re-privileged canbe verified by the digital signature, allowing a storage of a wrongprivileged ID information in the tag device 3310 to be detected in amore reliable manner.

While the digital signature σ′ is generated in the security server 3360in this mode, it is to be noted that the security server 3370 or aserver of an authentication organization or the like may act for thegeneration of the digital signature σ′.

EMBODIMENT 26

This embodiment is a modification of the embodiment 23, and differs fromthe embodiment 23 in that of a variety of information which constitute atag ID information, only that information which is inherent to each tagdevice is privileged to provide privileged ID information. A distinctionover the embodiment 23 will be principally described below whileomitting a description for matters which are common with the embodiment23.

FIG. 58 is an illustration of a functional arrangement of a tag device3410 of the present embodiment. It is to be noted that in FIG. 58,functional arrangements which are common with the embodiment 23 aredesignated by like characters as used in the embodiment 23.

<An Overall Arrangement/Hardware Arrangement>

This remains to be similar to the embodiment 23 except that the tagdevice 3010 is replaced by a tag device 3410.

<Pre-Processing>

A distinction over the embodiment 23 resides in that of a variety ofinformation which constitute tag ID information, only that informationwhich is inherent to each tag device is privileged to provide privilegedID information sid_(h). When using tag ID information having a dataconstruction as illustrated in FIG. 52, the serial code (sc) 3205represents information which is inherent to each tag device, andprivileged ID information will be sid_(h)=(g^(r), sc_(h)·pk_(j) ^(r)).This privileged ID information (sid_(h)=(g^(r), sc_(h)·pk_(j) ^(r))) isstored in a rewritable region 3411 b of a confidential value memory 3411of the tag device 3410. It is also a distinction over the embodiment 23that information which is common to products such as the version code(vc) 3202, manufacturer code (mc) 3203 and products code (pc) 3204 areencrypted (E(vc), E(mc), E(pc)) and stored in a read-only region 3411 aof the confidential value memory 3411. It is to be noted that aprobability encryption or the like is used for encrypting informationsuch as version code (vc) 3206 or the like which is common to every kindof products so that a different encrypted text may be obtained for thesame products.

<Processing>

Privileged ID decrypting processing and privileged ID updatingprocessing of this example remain similar to the embodiment 23 exceptthat the privileged ID information is represented by sid_(h)=(g^(r),sc_(h)·pk_(j) ^(r)). It is also another difference from the first modethat a read/write section 3012 extracts E(vc), E(mc), E(pc) or the likefrom the read-only region 3411 a of the confidential value memory 3411to be transmitted to a backend apparatus 3050 though its interface 3013and client apparatus 3020 or the like as required for an inquiry to thebackend apparatus 3050.

<Features of Embodiment 26>

In the present embodiment, since only information which is inherent toeach tag device is privileged to provide privileged ID information, anamount of data which is subject to the privileging processing can bereduced to reduce the amount of calculation and amount of communicationin comparison to an arrangement in which information which is common toeach kind of products is also privileged to provide privileged IDinformation.

It should be understood that the present embodiment is not limited tothe described modes or embodiments mentioned above. By way of example,the present invention can be carried out in a mode which comprises acombination of embodiments, and in addition, a variety of processingsmentioned above are not limited to those which are executed in a timesequence as described, but may be executed concurrently or individuallydepending on the processing capacity of the apparatus which executes aprocessing or as required. In addition, it should be understood thatmodifications can be suitably made without departing from the spirit ofthe present invention.

When the described arrangements are implemented using a computer, aprocessing content of a function which is to be performed by eachapparatus is described in terms of a program. By executing the programon a computer, the processing function is implemented by the computer.

The program which describes such processing content can be recorded in arecord medium which is readable by the computer. A record medium whichis readable by the computer may comprise a magnetic recorder, an opticaldisc, a magneto-optical record medium, a semiconductor memory or thelike, for example. Specifically, by way of example, the magneticrecorder may comprise a hard disc unit, a flexible disc, a magnetic tapeor the like; an optical disc may comprise DVD (Digital Versatile Disc),DVD-RAM (Random Access Memory), CD-ROM (Compact Disc Read Only Memory),CD-R (Recordable)/RW (ReWritable); the magneto-optical record medium maycomprise MO (Magneto-Optical disc) or the like; and the semiconductormemory may comprise EEP-ROM (Electronically Erasable andProgrammable-Read Only Memory) or the like.

The distribution of the program may take place through a sale, atransfer or a lease or the like of a portable record medium such as DVD,CD-ROM or the like in which the program is recorded. Alternatively, theprogram may be stored in a memory of a server computer, and may betransferred from the server computer to another computer for purpose ofdistribution.

A computer which is used to execute the program may have the programwhich is recorded in the portable record medium or the program which istransferred from the server computer once stored in its own memory. Whenthe processings are to be executed, this computer can read the programstored in its own record medium and executes processings in accordancewith the program which is read out. In another mode of executing theprogram, the computer may directly read the program from the portablerecord medium, and then execute processings in accordance with theprogram. In addition, each time a program is transferred from the servercomputer to this computer, the computer may execute processings inaccordance with the program received in a sequential manner. As afurther alternative, rather than transferring the program from theserver computer to this computer, the described processings can beexecuted by a so-called ASP (Application Service Provider) service inwhich the processing functions are realized by merely commandingexecution and acquiring results. It is to be understood that a programin this mode is intended to include information which is used in aprocessing by an electronic computer and which conforms to a program(such as data which does not directly command a computer, but which hasthe property to rule the processing by the computer).

AVAILABILITY OF USE IN INDUSTRY

In accordance with the present invention, a likelihood that adistribution process of tag devices may be traced from informationdelivered from tag devices in RFID, for example, can be suppressed.

1. A tag privacy protection method for preventing privacy information ofa user from being acquired from information which is delivered from atag device, in which a confidential value corresponding to each tag IDinformation is stored in a confidential value memory of each tag device;comprising the steps of the tag device delivering tag output informationwhich corresponds to a confidential value in the confidential valuememory from an output section; and reading out at least part of elementsof the confidential value from the confidential value memory, applyingthereto a first function, an inverse image of which is difficult toobtain, and updating the confidential value in the confidential valuememory with a result of such calculation by overwriting in a firstcalculator.
 2. A tag privacy protection method according to claim 1 inwhich a second calculator of the tag device reads out the confidentialvalue from the confidential value memory and applies a second functionF2 which disturbs a relationship between elements of a definition domainand a mapping thereof to the confidential value read out, and a resultof such calculation is the tag output information.
 3. A tag privacyprotection method according to claim 2 in which at least one of thefirst function F1 and the second function F2 is a hash function.
 4. Atag privacy protection method according to claim 2 in which the firstfunction F1 is a hash function H(x)=hash(p|x) where hash represents ahash function for {0, 1}*→{0, 1}^(r), pε{0, 1}^(s) and r and s arenatural numbers and in which the second function F2 is a hash functionG(x)=hash(q|x) where qε{0, 1}^(s) for p≠q.
 5. A tag privacy protectionmethod according to claim 2 in which the first function F1 is a hashfunction H(x)=hash(pad(x, p)) where hash represents a hash function for{0, 1}*→{0, 1}^(r), pε{0, 1}^(s), pad(x, p) represents a padding of p tox and r and s are natural numbers and in which the second function F2 isa hash function G(x)=hash(pad(x, q)) where pad(x, q) represents apadding of q to x and qε{0, 1}^(s) for p≠q.
 6. A tag privacy protectionmethod according to claim 2 where the first function F1 is a hashfunction H(x) for {0, 1}*→{0, 1}^(r) and r is a natural number and inwhich the second function F2 is a hash function G(x)=F(rx) where rxrepresents a bit inversion of x.
 7. A tag privacy protection methodaccording to claim 2 in which at least one of the first function F1 andthe second function F2 is a common key encryption function.
 8. A tagprivacy protection method according to claim 2 in which the firstfunction F1 and the second function F2 are an identical common keyencryption function, to which different common keys are applied.
 9. Atag privacy protection method for preventing privacy information of auser from being acquired from information which is delivered from a tagdevice, in which a first confidential value s_(k, i) corresponding toeach tag ID information id_(k) is stored in a confidential value memoryof each tag device k (kε{1, . . . , m}, where m represents a totalnumber of tag devices) and in which each tag ID information id_(n)(nε{1, . . . , m} and a corresponding second confidential value s_(n, 1)are stored in a database memory of a backend apparatus in a mannerrelating to each other; comprising the steps of the tag device readingout the first confidential value s_(k, i) from the confidential valuememory, and applying a second function F2 which disturbs a relationshipbetween elements of a definition domain and a mapping thereof togenerate tag output information F2(s_(k, i)) in a second calculator;delivering the tag output information F2(s_(k, i)) from an outputsection; and reading out the first confidential value s_(k, i) from theconfidential value memory, applying thereto a first function F1, aninverse image of which is difficult to obtain, and saving a result ofsuch calculation F1 (s_(k, i)) as new first confidential values_(k, i+1) in the confidential value memory by overwriting in a firstcalculator; the backend apparatus accepting an input of the tag outputinformation F2(s_(k, i)) at an input section; reading out the secondconfidential value s_(n, 1) from the database memory, applying to eachsecond confidential value s_(n, 1) read out j times (jε{0, . . . ,j_(max)}) the first function F1 and subsequently applying the secondfunction F2 thereto in a third calculator; comparing the tag outputinformation F2(s_(k, i)) against the result of calculation F2(F1^(j)(s_(n, 1))) in a comparator; in the event the tag output informationF2(s_(k, i)) does not match the result of calculation F2(F1^(j)(s_(n, 1))), the processings in the third calculator and thecomparator being executed again by changing the value of at least one ofn and j; and extracting by a reader the tag ID information id_(n) whichis related to the second confidential value S_(n, 1) corresponding tothe matched result of calculation F2(F1 ^(j)(s_(n, 1))) from thedatabase memory when the tag output information F2(s_(k, i)) matches theresult of calculation F2(F1 ^(j)(s_(n, 1))).
 10. A tag privacyprotection method for preventing privacy information of a user frombeing acquired from information which is delivered from a tag device, inwhich a first confidential value s_(k, i) and a first proper value w_(k)corresponding to each tag ID information id_(k) are stored in aconfidential value memory of each tag device k (kε{1, . . . , m}, wherem represents a total number of tag devices) in a manner relating to eachother and in which each tag ID information id_(n) (nε{1, . . . , m}) anda corresponding second confidential value s_(n, 1) and a second propervalue w_(n) are stored in a database memory of a backend apparatus in amanner relating to each other; comprising the steps of the tag devicereading out the first confidential value s_(k, i) from the confidentialvalue memory and applying thereto a second function F2 which disturbs arelationship between elements of a definition domain and a mappingthereof to generate tag output information F2(s_(k, i)) in a secondcalculator; delivering the tag output information F2(s_(k, i)) from anoutput section; reading out the first confidential value s_(k, i) andthe first proper value w_(k) from the confidential value memory,applying a first function F1, an inverse image of which is difficult toobtain, to a bit combination value of the first confidential value andthe first proper value, and saving a result of such calculationF1(s_(k, i)|w_(k)) as a new confidential value s_(k, i+1) in theconfidential value memory by overwriting in a first calculator; thebackend apparatus accepting an input of the tag output informationF2(s_(k, i)) by an input section; reading out the second confidentialvalue s_(n, 1) and the second proper value w_(n) from the databasememory, and applying the second function F2 to I^(j)(n) whereI^(j)(n)=s_(n, 1) (j=0) and I^(j)(n)=F1(I^(j−1)(n))|id_(n))(j≧1) tocalculate F2(I^(j)(n)) in a third calculator; comparing the tag IDinformation F2(s_(k, i)) and a result of calculation F2(I^(j)(n)) in thethird calculator in a comparator; in the event the tag outputinformation F2(s_(k, i)) does not match the result of calculationF2(I^(j)(n)), the processings in the third calculator and the comparatorbeing executed again by changing the value of at least one of n and j;and in the event the tag output information F2(s_(k, i)) matches theresult of calculation F2(I^(j)(n)), extracting the tag ID informationid_(n) which is related to the second confidential value s_(n, 1) andthe second proper value w_(n) corresponding to the matching result ofcalculation F2(I^(j)(n)) from the database memory by a reader.
 11. A tagprivacy protection method for preventing privacy information of a userfrom being acquiring from information which is delivered from a tagdevice, in which a first confidential value s_(k, i) and a first propervalue w_(k) which correspond to each tag ID information id_(k) arestored in a confidential value memory of each tag device k (kε{1, . . ., m}, where m represents a total number of tag devices) and in which atag ID information id_(n) (nε{1, . . . , m}) and a second confidentialvalue S_(n, 1) and a second proper value w_(n) which correspond theretoare stored in a database memory of a backend apparatus in a mannerrelating to each other; comprising the steps of the tag device readingout the first confidential value s_(k, i) and the first proper valuew_(k) from the confidential value memory and applying to a bitcombination value thereof a second function F2 which disturbs arelationship between elements of a definition domain and a mappingthereof to generate tag output information F2(s_(k, i)|w_(k)) in asecond calculator; delivering the tag output informationF2(s_(k, i)|w_(k)) from an output section; and reading out the firstconfidential value s_(k, i) from the confidential value memory, applyinga first function F1, an inverse image of which is difficult to obtain,to the first confidential value s_(k, i) which is read out, and saving aresult of such calculation F1(s_(k, i)) as a new first confidentialvalue s_(k, i) in the confidential value memory by overwriting in afirst calculator; the backend apparatus accepting the tag outputinformation F2(s_(k, i)|w_(k)) as an input at an input section at aninput section; reading out the second confidential value s_(n, 1) andthe second proper value w_(n) from the database memory, applying j times(jε{0, . . . , j_(max)}) the first function F1 to the secondconfidential value s_(n, 1) to determine a bit combination value F1^(j)(s_(n, i))|w_(n) of a resulting F1 ^(j)(s_(n, i)) and the secondproper value w_(n), and applying the second function F2 to the bitcombination value F1 ^(j)(s_(n, i))|w_(n) in a third calculator;comparing the tag output information F2(s_(k, i)|w_(k)) against a resultof calculation in the third calculator F2(F1 ^(j)(S_(n, i))|w_(n)) in acomparator; in the event the tag output information F2(s_(k, i)|w_(k))does not match the result of calculation F2(F1 ^(j)(s_(n, i))|w_(n)),executing the processings in the third calculator and the comparatoragain by changing the value of at least one of n and j; and in the eventthe tag output information F2(s_(k, i)|w_(k)) matches the result ofcalculation F2(F1 ^(j)(s_(n, i))|w_(n)), extracting the tag IDinformation id_(n) which is related to the second confidential values_(n, 1) and the second proper value w_(n) corresponding to the matchingresult of calculation F2(F1 ^(j)(s_(n, i))|w_(n)) from the databasememory by a reader.
 12. A tag privacy protection method for preventingprivacy information of a user from being acquired from information whichis delivered from a tag device, in which a first proper value w_(k)corresponding to each tag ID information id_(k) and a first confidentialvalue s_(i) which assumes an identical initial value s_(i) for aplurality of tag ID information are stored in a confidential valuememory of each tag device k (kε{1, . . . , m}, where m represents atotal number of tag devices), each tag ID information id_(n)(nε{1, . . ., m}) and a corresponding second proper value w_(n) are stored in adatabase memory of a backend apparatus in a manner relating to eachother, and a first result of calculation s_(j+1) obtained by applying jtimes (jε{0, . . . , j_(max)}) a first function F1 to the secondconfidential value s₁ which is used in common by the plurality of tag IDinformation is stored in a calculated value memory of the backendapparatus; comprising the steps of the tag device reading out the firstconfidential value s_(i) and the first proper value w_(k) from theconfidential value memory and applying to a bit combination valuethereof a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to generate tagoutput information F2(s_(i)|w_(k)) in a second calculator; deliveringthe tag output information F2(s_(i)|w_(k)) from an output section; andreading out the first confidential value s_(i) from the confidentialvalue memory, applying the first function F1, an inverse image of whichis difficult to obtain, to the first confidential value s_(i) which isread out, and saves a result of such calculation F1 (s_(i)) as a newfirst confidential value s_(i+1) in the confidential value memory byoverwriting in a first calculator; the backend apparatus accepting thetag output information F2(s_(i)|w_(k)) as an input at an input section;reading out a result of the first calculation s_(j+1) and the secondproper value w_(n) from the database memory to obtain a bit combinationvalue s_(j+1)|w_(n) thereof, and applying the second function F2 theretoin a third calculator; comparing the tag output informationF2(s_(i)|w_(k)) against a result of the calculation by the thirdcalculator F2(s_(j+1)|w_(n)) in a comparator; in the event the tagoutput information F2(s_(i)|w_(k)) does not match the result of thecalculation F2(s_(j+1)|w_(n)), executing the processings in the thirdcalculator and the comparator again by changing the value of at leastone of n and j; and in the event the tag output informationF2(s_(i)|w_(k)) matches the result of the calculation F2(s_(j+1)|w_(n)),extracting the tag ID information id_(n) which is related to the secondproper value w_(n) corresponding to the matching result of calculationF2(s_(j+1)|w_(n)) from the database memory by a reader.
 13. A tagprivacy protection method for preventing privacy information of a userfrom being acquired from information which is delivered from a tagdevice, in which a combination of d (d≧2) elements e_(u, vu)(uε{1, . . ., d}) corresponding to each tag ID information id_(k) is stored in aconfidential value memory of each tag device k (kε{1, . . . , m}, wherem represents a total number of tag devices) and in which a combinationof d initial elements f_(u, 0) comprising one selected from each of dkinds (d≧2) of subgroups α_(u) (uε{1, . . . , d}) and the tag IDinformation id_(n) of each tag device n (nε{1, . . . , m}) are stored ina database memory of a backend apparatus in a manner relating to eachother comprising the steps of; the tag device reading out the d elementse_(u, vu) from the confidential value memory to form a bit combinationvalue thereof which represents a confidential value s_(k, i) andapplying a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to theconfidential value s_(k, i) to generate tag output informationa_(k, i)=F2(s_(k, i)) in a second calculator; delivering the tag outputinformation a_(k, i) from an output section; and extracting at leastpart of elements e_(u′, vu′) (u′ε{1, . . . , d}) from the confidentialvalue memory, applying a first function F1, an inverse image of which isdifficult to obtain, to the extracted elements e_(u′, vu′), and saving aresult of such calculation F1 (e_(u′, vu)′) as new elementse_(u′, vu′+1) in the confidential value memory by overwriting in a firstcalculator; the backend apparatus accepting the tag output informationa_(k, i) as an input at an input section; applying the first function F1w_(u) times (w_(u)ε{1, 2, . . . , max}) to d initial elements f_(u, 0)(uε{1, . . . , d}) corresponding to the tag ID information id_(n), andapplying the second function F2 to a bit combination value of thesevalues F1 ^(wu)(f_(u, 0)) to determine a calculated value c in a thirdcalculator; comparing the tag output information a_(k, i) against thecalculated value c in a comparator; in the event the tag outputinformation a_(k, i) does not match the calculated value c, executingthe processings in the third calculator and the comparator again bychanging the value of at least part of n and w_(u); and in the event thetag output information a_(k, i) matches the calculated value c,extracting tag ID information id_(n) which is related to the combinationof d initial elements f_(u, 0) corresponding to the calculated value cfrom the database memory by a reader.
 14. A tag privacy protectionmethod for preventing privacy information of a user from being acquiredfrom information which is delivered from a tag device, in which acombination of d (d≧2) elements e_(u, vu) (uε{1, . . . , d}) whichcorresponds to each tag ID information id_(k) and a proper value γ_(k)which is inherent to each tag ID information id_(k) are stored in aconfidential value memory of each tag device k (kε{1, . . . , m}, wherem represents a total number of tag devices) and in which a combinationof d (d≧2) elements e_(u, vu) (uε{1, . . . , d}) which corresponds toeach tag ID information id_(k) and a proper value γ_(k) which isinherent to each tag ID information id_(k) are stored in a databasememory of a backend apparatus in a manner relating to each other;comprising the steps of the tag device reading out the d elementse_(u, vu) and the proper value γ_(k) from the confidential value memory,and applying a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to a confidentialvalue s_(k, i) which is a bit combination value of the d elements andthe proper value to generate tag output informationa_(k, i)=F2(s_(k, i)) in a second calculator; delivering the tag outputinformation a_(k, 1) from an output section; and extracting at leastpart of elements e_(u′, vu′) (u′ε{1, . . . , d}) from the confidentialvalue memory, applying a first function F1, an inverse image of which isdifficult to obtain, to the extracted elements e_(u′, vu′), and saving aresult of such calculation F1 (e_(u′, vu′)) as new elementse_(u′, vu′+1) in the confidential value memory by overwriting in a firstcalculator; the backend apparatus accepting the tag output informationa_(k, i) as an input at an input section; applying the first function F1w_(u) times (w_(u)ε{1, 2, . . . , max}) to the d initial elementsf_(u, 0) (uε{1, . . . , d}) corresponding to the tag ID informationid_(n) and applying the second function F2 to a bit combination value ofthe function values F1 ^(wu)(f_(u, 0)) and the proper value γ_(n) todetermine a calculated value c in a third calculator; comparing the tagoutput information a_(k, i) against the calculated value c in acomparator; in the event the tag output information a_(k, i) does notmatch the calculated value c, executing the processings in the thirdcalculator and the comparator again by changing the value of al leastpart of n and w_(u); and in the event the tag output informationa_(k, i) matches the calculated value c, extracting tag ID informationid_(n) which is related to the combination the plurality of initialelements f_(u, 0) corresponding to the calculated value c from thedatabase memory by a reader.
 15. A tag privacy protection method forpreventing privacy information of a user from being acquired frominformation which is delivered from a tag device, in which d (d≧1)elements e_(u, vu) (uε{1, . . . , d}) are stored in a confidential valuememory of each tag device k (kε{1, . . . , m}, where m represents atotal number of tag devices), a manifold value z having t kinds (t≧2) ofvalues is stored in a first manifold value memory of each tag device k,a combination of d initial elements f_(u, 0) comprising one selectedfrom each of d kinds (d≧1) of subgroups α_(u) (uε{1, . . . , d}) and tagID information id_(n) (nε{1, . . . , m}) of each tag device are storedin a database memory of a backend apparatus in a manner relating to eachother, and the manifold value z is stored in a second manifold valuememory of the backend apparatus; comprising the steps of the tag devicereading out each element e_(u, vu) from the confidential value memoryand reading out either manifold value z from the first manifold valuememory and applying a second function F2 which disturbs a relationshipbetween elements of a definition domain and a mapping thereof to aconfidential value s_(k, i) which is a bit combination value of theelements and the manifold value to generate tag output informationa_(k, i)=F2(s_(k, i)) in a second calculator; delivering the tag outputinformation a_(k, i) from an output section; and extracting at leastpart of elements e_(u′, vu′) (u′ε{1, . . . , d}) from the confidentialvalue memory each time the output section delivers the tag outputinformation a_(k, i) t times, applying a first function F1, an inverseimage of which is difficult to obtain, to the extracted elementse_(u′, vu′), and saving a result of such calculation F1(e_(u′, vu′)) asnew elements e_(u′, vu′+1) in the confidential value memory byoverwriting in a first calculator; the backend apparatus accepting thetag output information a_(k, i) as an input at an input section;applying the first function F1 w_(u) times (w_(u)ε{1, 2, . . . , max})to the d initial elements f_(u, 0) (uε{1, . . . , d}) corresponding tothe tag ID information id_(n) and applying the second function F2 to abit combination value of these values F1 ^(wu)(f_(u, 0)) and themanifold value z to determine a calculated value c in a thirdcalculator; comparing the tag output information a_(k, i) against thecalculated value c in a comparator; in the event the tag outputinformation a_(k, i) does not match the calculated value c, executingthe processings in the third calculator and the comparator again bychanging the value of at least part of n, w_(u) and z; and in the eventthe tag output information a_(k, i) matches the calculated value c,extracting the tag ID information id_(n) which is related to thecombination of the d initial elements f_(u, 0) corresponding to thecalculated value c from the database memory by a reader.
 16. A tagprivacy protection method for preventing privacy information of a userfrom being acquired from information which is delivered from a tagdevice, in which d (d≧2) elements e_(u, vu) (uε{1, . . . , d}) arestored in a confidential value memory of each tag device k (kε{1, . . ., m}, where m represents a total number of tag devices), a manifoldvalue z_(u) which assumes t_(u) kinds (t_(u)≧2) of values for each u isstored in a first manifold value memory of each tag device k, acombination of d initial elements f_(u, 0) comprising one selected fromeach of d kinds (d≧2) of subgroups α_(u) (uε{1, . . . , d}) and tag IDinformation id_(n) (nε{1, . . . , m}) of each tag device are stored in adatabase memory of a backend apparatus in a manner relating to eachother, and the manifold value z_(u) is stored in a second manifold valuememory of the backend apparatus; comprising the steps of the tag devicereading out each element e_(u, vu) from the confidential value memoryand reading out either manifold value z_(u) for each u from the firstmanifold value memory and applying a second function F2 which disturbs arelationship between elements of a definition domain and a mappingthereof to a confidential value s_(k, i) which is a bit combinationvalue of e_(u, vu) and z_(u) to generate tag output informationa_(k, i)=F2(s_(k, i)) in a second calculator; delivering the tag outputinformation a_(k, i) from an output section; extracting at least part ofelements e_(u, vu) (u′ε{1, . . . , d}) from the confidential valuememory each time the output section delivers the tag output informationa_(k, i) some number of times, applying a first function F1, an inverseimage of which is difficult to obtain, to the extracted elementse_(u′, vu′), and saving a result of such calculation F1(e_(u′, vu′)) asnew elements e_(u′, vu′+1) in the confidential value memory byoverwriting in a first calculator; the backend apparatus accepting thetag output information a_(k, i) as an input at an input section;applying w_(u) times (w_(u)ε{1, 2, . . . , max}) the first function F1to the d initial elements f_(u, 0) (uε{1, . . . , d}) corresponding tothe tag ID information id_(n), and applying the second function F2 to abit combination value of these values F1 ^(wu)(f_(u, 0)) and themanifold value z_(u) to determine a calculated value c in a thirdcalculator; comparing the tag output information a_(k, i) against thecalculated value c in a comparator; in the event the tag outputinformation a_(k, i) does not match the calculated value c, executingthe processings in the third calculator and the comparator again bychanging the value of at least part of n, w_(u) and z_(u); and in theevent the tag output information a_(k, i) matches the calculated valuec, extracting tag ID information id_(n) which is related to thecombination of a plurality of initial elements f_(u, 0) corresponding tothe calculated value c from the database memory by a reader.
 17. A tagdevice for use in an automatic tag identification system comprising aconfidential value memory in which a confidential value corresponding totag ID information is stored; a second calculator connected to theconfidential value memory for reading out the confidential value fromthe confidential value memory and for applying a second function F2which disturbs a relationship between elements of a definition domainand a mapping thereof to the confidential value which is read out togenerate tag output information; an output section for delivering thetag output information; and a first calculator for reading out at leastpart of elements of the confidential value from the confidential valuememory and for applying a first function F1, a mapping of which isdifficult to obtain, to the elements which are read out, with a resultof such calculation being used to update the confidential value in theconfidential value memory by overwriting.
 18. A backend apparatus foruse in an automatic tag identification system comprising a databasememory in which each tag ID information and a corresponding confidentialvalue are related to each other; an input section which accepts tagoutput information as an input; a calculator for applying a firstfunction F1 which is used in a tag device some number of times to atleast part of elements of the confidential value in the database memoryand which then applies a second function which is used in the tag devicethereto; a comparator for sequentially comparing a result of thecalculation in the calculator against the tag output information; and areader for extracting the tag ID information which is related to theconfidential value corresponding to the matching result of calculationwhen a matching between the result of calculation and the tag outputinformation is found from the database memory.
 19. A tag device for usein an automatic tag identification system comprising a confidentialvalue memory in which a first confidential value s_(k, i) correspondingto tag ID information id_(k) is stored; a second calculator connected tothe confidential value memory for reading out the first confidentialvalue s_(k, i) from the confidential value memory and for applying asecond function F2 which disturbs a relationship between elements of adefinition domain and a mapping thereof to the first confidential values_(k, i) to generate tag output information F2(s_(k, i)); an outputsection for delivering the tag output information F2(s_(k, i)); and afirst calculator connected to the confidential value memory for readingout the first confidential value s_(k, i) from the confidential valuememory, for applying a first function F1, an inverse image of which isdifficult to obtain, to the first confidential value and for saving aresult of such calculation F1 (s_(k, i)) as a new first confidentialvalue s_(k, i+1) in the confidential value memory by overwriting.
 20. Atag device according to claim 19, further comprising a counter forcounting a number of times m the first confidential value is updated,the output section also delivering information which specifies thenumber of updating times m.
 21. A tag device for use in an automatic tagidentification system comprising a confidential value memory in which afirst confidential value s_(k, i) and a first proper value w_(k) whichcorrespond to a tag ID information id_(k) are stored; a secondcalculator connected to the confidential value memory for reading outthe first confidential value s_(k, i) from the confidential value memoryand for applying a second function F2 which disturbs a relationshipbetween elements of a definition domain and a mapping thereof to thefirst confidential value to generate tag output informationF2(s_(k, i)); an output section for delivering the tag outputinformation F2(s_(k, i)); and a first calculator connected to theconfidential value memory for reading out the first confidential values_(k, i) and the first proper value w_(k) from the confidential valuememory, for applying a first function F1, an inverse image of which isdifficult to obtain, to a bit combination value of the firstconfidential value and the first proper value and for saving a result ofsuch calculation F1(s_(k, i)|w_(k)) as a new first confidential values_(k, i+1) in the confidential value memory by overwriting.
 22. Abackend apparatus for use in an automatic tag identification systemcomprising a database memory in which each tag ID information id_(n)(nε{1, . . . , m}, where m represents a total number of tag devices) anda second confidential value s_(n, 1) corresponding thereto are relatedto each other; an input section which accepts tag output informationF2(s_(k, i)) as an input; a third calculator connected to the databasememory for reading out the second confidential value s_(n, 1) from thedatabase memory, applying j times (jε{0, . . . , j_(max)}) a firstfunction F1 which is used in a tag device to each of the secondconfidential values s_(n, 1) which are read out, and for subsequentlyapplying a second function F2 which is used in the tag device; acomparator for comparing the tag output information F2(s_(k, i)) againsta result of calculation in the third calculator F2(F1 ^(j)(s_(n, 1))); acontroller for causing the processings in the third calculator and thecomparator to be executed again by changing the value of at least one ofn and j in the event the tag output information F2(s_(k, i)) and theresult of calculation F2(F1 ^(j)(s_(n, 1))) do not match; and a readerconnected to the database memory and operative when the tag outputinformation F2(s_(k, i)) matches the result of the calculation F2(F1^(j)(s_(n, 1))) to extract the tag ID information id_(n) which isrelated to the second confidential value s_(n, 1) corresponding to thematching result of the calculation F2(F1 ^(j)(s_(n, 1))) from thedatabase memory.
 23. A backend apparatus according to claim 22 in whichthe input section accepts an input of information which specifies anumber of times m the first confidential value is updated in the tagdevice, the third calculator applies the first function F1 j=rn times toeach of the confidential values s_(n, 1) which are read out and thenapplies the second function F2 thereto, and the controller causes theprocessings in the third calculator and the comparator to be executedagain by changing the value of n when the tag output informationF2(s_(k, j)) does not match the result of the calculation F2(F1^(j)(s_(n, 1))).
 24. A backend apparatus according to claim 22 in whichthe database memory stores the result of the calculation F2(F1^(j)(s_(n, 1))) in the third calculator in a manner relating it to thesecond confidential value s_(n, 1), and the comparator performs acomparing processing by using the result of the calculation F2(F1^(j)(s_(n, 1))) stored in the database memory.
 25. A backend apparatusfor use in an automatic tag identification system comprising a databasememory in which each tag ID information id_(n) (nε{1, . . . , m}), acorresponding second confidential value s_(n, 1) and second proper valuew_(n) are stored in a manner relating to each other; a input sectionwhich accepts an input of tag output information F2(s_(k, i)); a thirdcalculator connected to the database memory for reading out the secondconfidential value s_(n, 1) and the second proper value w_(n) from thedatabase memory and for applying a second function F2 to I^(j)(n) whereI^(j)(n)=s_(n, 1)(j=0), and I^(j)(n)=F1(I^(j−1)(n)|id_(n)) (j≧1) tocalculate F2(I^(j)(n)); a comparator for comparing the tag outputinformation F2(s_(k, i)) against the result of the calculation in thethird calculator F2(I^(j)(n)); a controller for causing the processingsin the third calculator and the comparator to be executed again bychanging the value of at least one of n and j when the tag outputinformation F2(s_(k, i)) does not match the result of the calculationF2(I^(j)(n)); and a reader for extracting tag ID information id_(n)which is related to the second confidential value s_(n, 1) and thesecond proper value w_(n) corresponding to the matched result ofcalculation F2(I^(j)(n)) from the database memory when a matchingbetween the tag output information F2(s_(k, i)) and the result of thecalculation F2(I^(j)(n)) is found.
 26. A tag device for use in anautomatic tag identification system comprising a confidential valuememory in which a first confidential value s_(k, i) and a first propervalue w_(k) corresponding to tag ID information id_(k) are stored; asecond calculator connected to the confidential value memory for readingout the first confidential value s_(k, i) and the first proper valuew_(k) from the confidential value memory and for applying a secondfunction F2 which disturbs a relationship between elements of adefinition domain and a mapping thereof to a bit combination value ofthe first confidential value and the first proper value to generate tagoutput information F2(s_(k, i) w_(k)); an output section for deliveringthe tag output information F2(s_(k, i)|w_(k)) and a first calculatorconnected to the confidential value memory for reading the firstconfidential value s_(k, i) from the confidential value memory, applyinga first function F1, an inverse image of which is difficult to obtain,to the first confidential value s_(k, i) which is read out and saving aresult of such calculation F1(s_(k, i)) as a new first confidentialvalue s_(k, i+1) in the confidential value memory by overwriting.
 27. Abackend apparatus for use in an automatic tag identification systemcomprising a database memory in which each tag ID information id_(n)(nε{1, . . . , m}) and a corresponding second confidential values_(n, 1) and second proper value w_(n) are stored in a manner relatingto each other; an input section which accepts an input of tag outputinformation F2(s_(k, i)|w_(k)); a third calculator connected to thedatabase memory for reading out the second confidential value s_(n, 1)and the second proper value w_(n) from the database memory, applying jtimes (jε{0, . . . , j_(max)}) a first function F1 which is used in atag device to the second confidential value s_(n, 1), determining a bitcombination value F1 ^(j)(s_(n, i))|w_(n) of a result of application F1^(j)(s_(n, i)) and the second proper value w_(n), and applying a secondfunction F2 which is used in the tag device to the bit combination valueF1(s_(n, i)|w_(n)); a comparator for comparing the tag outputinformation F2(s_(k, i)|w_(k)) against a result of calculation in thethird calculator F2(F1 ^(j)(s_(n, i))|w_(n)); a controller for causingthe processings in the third calculator and the comparator to beexecuted again by changing the value of at least one of n and j when thetag output information F2(s_(k, i)|w_(k)) does not match the result ofthe calculation F2(F1 ^(j)(s_(n, i))|w_(n)); and a reader connected tothe database memory for extracting the tag ID information id_(n) whichis related to the second confidential value s_(n, 1) and the secondproper value w_(n) corresponding to the matched result of calculationF2(F1 ^(j)(s_(n, i))|w_(n)) when a matching between the tag outputinformation F2(s_(k, i)|w_(k)) and the result of the calculation F2(F1^(j)(s_(n, i))|w_(n)) is found.
 28. A tag device for use in an automatictag identification system comprising a confidential value memory inwhich a first proper value w_(k) corresponding to each tag IDinformation id_(k) and a first confidential value s_(i) which assumes anequal initial value s_(i) for a plurality of tag ID information arestored; a second calculator connected to the confidential value memoryfor reading out the first confidential value s_(i) and the first propervalue w_(k) from the confidential value memory and for applying a secondfunction F2 which disturbs a relationship between elements of adefinition domain and a mapping thereof to a bit combination value ofthe first confidential value and the first proper value to generate tagoutput information F2(s ₁ i w_(k)); an output section for delivering thetag output information F2(s_(i)|w_(k)); and a first calculator connectedto the confidential value memory for reading out the first confidentialvalue s_(i) from the confidential value memory, applying a firstfunction F1, an inverse image of which is difficult obtain, to the firstconfidential value s_(i) which is read out and saving a result of suchcalculation F1(s_(i)) as a new first confidential value s_(i+1) in theconfidential value memory by overwriting.
 29. A backend apparatus foruse in an automatic tag identification system comprising a databasememory in which each tag ID information id_(n) (nε{1, . . . , m}) and acorresponding second proper value w_(n) are stored in a manner relatingto each other; a calculated value memory in which first results ofcalculation s_(j+1) are stored which are obtained by applying j times(jε{0, . . . , j_(max)}) a first function which is used in a tag deviceto a second confidential value s₁ which is used in common for aplurality of tag ID information; an input section which accepts an inputof tag output information F2(s_(i)|w_(k)); a third calculator connectedto the database memory for reading out the first result of calculations_(j+1) and the second proper value w_(n) from the database memory toobtain a bit combination value thereof s_(j+1)|w_(n) and for applying asecond function F2 which is used in the tag device thereto; a comparatorfor comparing the tag output information F2(s_(i)|w_(k)) and the resultof calculation in the third calculator F2(s_(j+1)|w_(n)); a controllerfor causing the processings in the third calculator and the comparatorto be executed again by changing the value of at least one of n and jwhen the tag output information F2(s_(i)|w_(k)) does not match theresult of calculation F2(s_(j+1)|w_(n)); and a reader connected to thedatabase memory for extracting the tag ID information id_(n) which isrelated to the second proper value w_(n) corresponding to the matchedresult of calculation F2(s_(j+1)|w_(n)) when a matching between the tagoutput information F2(s_(i)|w_(k)) and the result of calculationF2(s_(j+1)|w_(n)) is found.
 30. A tag device for use in an automatic tagidentification system comprising a confidential value memory in which acombination of d (d≧2) elements e_(u, vu) (uε{1, . . . , d}) whichcorresponds to each tag ID information id_(k) is stored; a secondcalculator connected to the confidential value memory for reading outthe d elements e_(u, vu) from the confidential value memory and forapplying a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to a confidentialvalue s_(k, i) which is a bit combination value of the d elements togenerate tag output information a_(k, i)=F2(s_(k, i)); an output sectionfor delivering the tag output information a_(k, i); and a firstcalculator connected to the confidential value memory for extracting atleast part of elements e_(u′, vu′) (u′ε{1, . . . , d}) from theconfidential value memory, for applying a first function F1, an inverseimage of which is difficult to obtain, to the extracted elementse_(u′, vu′) and for saving a result of such calculation F1 (e_(u′, vu′))as new elements e_(u′, vu′+1) in the confidential value memory byoverwriting.
 31. A backend apparatus for use in an automatic tagidentification system comprising a database memory in which acombination of d initial elements f_(u, 0) comprising one selected fromeach of d kinds (d≧2) of subgroups α_(u)(uε{1, . . . , d}), and tag IDinformation id_(n) of each tag device n (nε{1, . . . , m}, where mrepresents a total number of tag devices) are stored in a mannerrelating to each other; an input section for accepting an input of tagoutput information a_(k, i); a third calculator for applying w_(u) times(w_(u)ε{1, 2, . . . , max}) a first function F1 to the d initialelements f_(u, 0) (uε{1, . . . , d}) which correspond to the tag IDinformation id_(n) and for applying a second function F2 to a bitcombination value of these values F1 ^(wu)(f_(u, 0)) to determine acalculated value c; a comparator for comparing the tag outputinformation a_(k, i) against the calculated value c; a controller forcausing the processings in the third calculator and the comparator to beexecuted again by changing the value of at least part of n and w_(u)when the tag output information a_(k, i) does not match the calculatedvalue c; and a reader connected to the database memory for extractingtag ID information id_(n) which is related to the combination of dinitial elements f_(u, 0) corresponding to the calculated value c whenthe tag output information a_(k, i) matches the calculated value c. 32.A tag device for use in an automatic tag identification systemcomprising a confidential value memory in which a combination of d (d≧2)elements e_(u, vu) (uε{1, . . . , d}) which correspond to each tag IDinformation id_(k) and a proper value γ_(k) which is inherent to eachtag ID information id_(k) are stored; a second calculator connected tothe confidential value memory for reading out the d elements e_(u, vu)and the proper value γ_(k) from the confidential value memory and forapplying a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to a confidentialvalue s_(k, i) which is a bit combination value of the d elements andthe proper value to generate tag output informationa_(k, i)=F2(s_(k, i)); an output section for delivering the tag outputinformation a_(k, i); and a first calculator connected to theconfidential value memory for extracting at least part of the elementse_(u′, vu′) (u′ε{1, . . . , d}) from the confidential value memory,applying a first function F 1, an inverse image of which is difficult toobtain, to the extracted elements e_(u′, vu′) and for saving a result ofsuch calculation F1 (e_(u′, vu′)) as new elements e_(u′, vu′+1) in theconfidential value memory by overwriting;
 33. A backend apparatus foruse in an automatic tag identification system comprising a databasememory in which a combination of d initial elements f_(u, 0) comprisingone selected from each of d kinds (d≧2) of subgroups α_(u) (uε{1, . . ., d}), a proper value γ_(n) which is inherent to each tag ID informationid_(n) (nε{1, . . . , m}) and each tag ID information id_(n) are storedin a manner relating to each other; an input section for accepting aninput of tag output information a_(k, i); a third calculator forapplying w_(u) times (w_(u)ε{1, 2, . . . , max}) a first function F1 tothe d initial elements f_(u, 0) (uε{1, . . . , d}) corresponding to thetag ID information id_(n) and for applying a second function F2 to a bitcombination value of these values F1 ^(wu)(f_(u, 0)) and the propervalue γ_(n) to determine a calculated value c; a comparator forcomparing the tag output information a_(k, i) against the calculatedvalue c; a controller for causing the processings in the thirdcalculator and the comparator to be executed again by changing the valueof at least part of n and w_(u) when the tag output information a_(k, i)does not match the calculated value c; and a reader connected to thedatabase memory for extracting tag ID information id_(n) which isrelated to the combination of a plurality of initial elements f_(u, 0)corresponding to the calculated value c from the database memory when amatching between the tag output information a_(k, i) and the calculatedvalue c is found.
 34. A tag device for use in an automatic tagidentification system comprising a confidential value memory in which d(d≧1) elements e_(u, vu) (uε{1, . . . , d}) are stored; a first manifoldvalue memory in which a manifold value z which assumes t kinds (t≧2) ofvalues is stored; a second calculator connected to the confidentialvalue memory and the first manifold value memory for reading out theelements e_(u, vu) from the confidential value memory and for readingout either manifold value z from the first manifold value memory and forapplying a second function F2 which disturbs a relationship betweenelements of a definition domain and a mapping thereof to a confidentialvalue s_(k, i) which is a bit combination value of the elements and themanifold value to generate tag output information a_(k, i)=F2(s_(k, i));an output section for delivering the tag output information a_(k, i);and a first calculator connected to the confidential value memory forextracting at least part of elements e_(u′, vu)′(u′ε{1, . . . , d}) fromthe confidential value memory each time the output section delivers thetag output information a_(k, i) t times, for applying a first functionF1, an inverse image of which is difficult to obtain, to the extractedelements e_(u′, vu′) and for saving a result of such calculation F1(e_(u′, vu′)) as new elements e_(u′, vu′+1) in the confidential valuememory by overwriting.
 35. A tag device according to claim 34 in whichas long as the first calculator does not update elements in theconfidential value memory, the manifold value z used by the secondcalculator in generating the tag output information a_(k, i) changeseach time the tag output information a_(k, i) is generated.
 36. Abackend apparatus for use in an automatic tag identification systemcomprising a database memory in which a combination of d initialelements f_(u, 0) comprising one selected from each of d kinds (d≧1) ofsubgroup α_(u) (uε{1, . . . , d}) and a tag ID information id_(n) (nε{1,. . . , m}) of each tag device are stored in a manner relating to eachother; a second manifold value memory in which a manifold value z whichassumes t kinds (t≧2) of values is stored; an input section foraccepting an input of tag output information a_(k, i); a thirdcalculator for applying w_(u) times (w_(u)ε{1, 2, . . . , max}) a firstfunction F1 to the d initial elements f_(u, 0) (uε{1, . . . , d}) in thedatabase memory which correspond to the tag ID information id_(n) andfor applying a second function F2 to a bit combination value of thesevalues F1 ^(wu)(f_(u, 0)) and the manifold value z in the secondmanifold value memory to determine a calculated value c; a comparatorfor comparing the tag output information a_(k, i) against the calculatedvalue c; a controller for causing the processings in the thirdcalculator and the comparator to be executed again by changing the valueat least part of n, w_(u) and z when the tag output information a_(k, i)does not match the calculated value c; and a reader connected to thedatabase memory for extracting the tag ID information id_(n) which isrelated to the combination of d initial elements f_(u, 0) correspondingto the calculated value c from the database memory when a matchingbetween the tag output information a_(k, i) and the calculated value cis found.
 37. A tag device for use in an automatic tag identificationsystem comprising a confidential value memory in which d (d≧2) elementse_(u, vu) (uε{1, . . . , d}) are stored; a first manifold value memoryin which a manifold value z_(u) which assumes t_(u) kinds (t_(u)≧2) ofvalues for each u is stored; a second calculator connected to theconfidential value memory and the first manifold value memory forreading out the elements e_(u, vu) from the confidential value memoryand for reading out either manifold value z_(u) for each u from thefirst manifold value memory and for applying a second function F2 whichdisturbs a relationship between elements of a definition domain and amapping thereof to a confidential value s_(k, i) which is a bitcombination value of these e_(v, vu) and z_(u) to generate tag outputinformation a_(k, i)=F2(s_(k, i)); an output section for delivering thetag output information a_(k, i); and a first calculator connected to theconfidential value memory for extracting at least part of the elementse_(u′, vu′) (u′ε{1, . . . , d}) from the confidential value memory eachtime the output section delivers the tag output information a_(k, i)some number of times, for applying a first function F1, an inverse imageof which is difficult to obtain, to the extracted elements e_(u′, vu′),and for saving a result of such calculation F1(e_(u′vu′)) as newelements e_(u′, vu′+1) in the confidential value memory by overwriting.38. A tag device according to claim 37 in which each time the outputsection delivers the tag output information a_(k, i), the firstcalculator extracts at least part of the elements e_(u′, vu′) from theconfidential value memory, applies the first function F1 to theextracted elements e_(u′, vu′) and saves a result of such calculationF1(e_(u′, vu′)) as new elements e_(u′, vu′+1) in the confidential valuememory by overwriting.
 39. A tag device according to claim 37 in whicheach time the output section delivers the tag output information$a_{k,i}{\sum\limits_{u = 1}^{d}t_{u}}$ times, the first calculatorextracts at least part of the elements e_(u′, vu′) from the confidentialvalue memory, applies the first function F1 to the extracted elementse_(u′, vu′), and saves a result of such calculation F1(e_(u′, vu′)) asnew elements e_(u′, vu′+1) in the confidential value memory byoverwriting.
 40. A tag device according claim 39 in which as long as thefirst calculator does not update the elements in the confidential valuememory, a combination of manifold values z_(u) (uε{1, . . . , d}) whichare used by the second calculator in generating the tag outputinformation a_(k, i) changes each time the tag output informationa_(k, i) is generated.
 41. A backend apparatus for use in an automatictag identification system comprising a database memory in which acombination of d initial elements f_(u, 0) which comprises one selectedfrom each of d kinds (d≧1) of subgroups α_(u) (uε{1, . . . , d}) and tagID information id_(n) (nε{1, . . . , m}) of each tag device are storedin a manner relating to each other; a second manifold value memory inwhich a manifold value z_(u) which assumes t_(u) kinds (t_(u)≧2) ofvalues for each u is stored; an input section for accepting an input oftag output information a_(k, i); a third calculator for applying w_(u)times (w_(u)ε{1, 2, . . . , max}) a first function F1 which is used in atag device to the d initial elements f_(u, 0) (uε{1, . . . , d})corresponding to the tag ID information id_(n) and for applying a secondfunction F2 which is used in the tag device to a bit combination valueof these values F1 ^(wu)(f_(u, 0)) and the manifold value z_(u) todetermine a calculated value c; a comparator for comparing the tagoutput information a_(k, i) against the calculated value c; a controllerfor causing the processings in the third calculator and the comparatorto be executed again by changing the value of at least part of n, w_(u)and z; and a reader connected to the database memory for extracting tagID information id_(n) which is related to the combination of the dinitial elements f_(u, 0) corresponding to the calculated value c fromthe database memory when a matching between the tag output informationa_(k, i) and the calculated value c is found.
 42. A tag privacyprotection method for preventing privacy information of a user frombeing acquired from information which is delivered from a tag device, inwhich privileged ID information sid_(h) which is formed by privilegingrespective tag ID information id_(h) is stored in a confidential valuememory of each tag device; comprising the steps of the tag devicereading out the privileged ID information sid_(h) stored in theconfidential value memory in a read/write section; and delivering theprivileged ID information sid_(h) to an updater which is providedexternally of each tag device from a first output section; the updateraccepting an input of the privileged ID information sid_(h) at a firstinput section; generating new privileged ID information sid_(h)′, theassociation of which with the privileged ID information sid_(h) isdifficult to follow in an updating section; delivering the newprivileged ID information sid_(h)′ to the tag device from a secondoutput section; the tag device further accepting an input of the newprivileged ID information sid_(h)′ at a second input section; theread/write section of the tag device storing the new privileged IDinformation sid_(h)′ in the confidential value memory.
 43. A tag privacyprotection method for preventing privacy information of a user frombeing acquired from information which is delivered from a tag device, inwhich the privileged ID information sid_(h) which is a random valuer_(h) related to each tag ID information id_(h) is stored in aconfidential value memory of each tag device h (hε{1, . . . , m}, wherem represents a total number of tag devices), and each tag ID informationid_(h) and privileged ID information sid_(h) which is the random valuer_(h) related to the tag ID information id_(h) are stored in aprivileged ID memory of an updater which is provided externally of eachtag device h in a manner relating to each other; comprising the steps ofthe tag device h reading out the privileged ID information sid_(h)stored in the confidential value memory thereof in a first read/writesection; and delivering the privileged ID information sid_(h) to theupdater from a first output section; the updater accepting an input ofthe privileged ID information sid_(h) at a first input section;generating a new random value r_(h)′ in a random value generator;selecting tag ID information id_(h) corresponding to the privileged IDinformation sid_(h) which is accepted as the input from the privilegedID memory and storing the new random value r_(h)′ in the privileged IDmemory in a manner relating to new privileged ID information sid_(h)′ ina second read/write section; and delivering the new privileged IDinformation sid_(h)′ to the tag device h from a second output section;the tag device h further accepting an input of the new privileged IDinformation sid_(h)′ at a second input section; the read/write sectionof the tag device storing the new privileged ID information sid_(h)′ inthe confidential value memory.
 44. A tag privacy protection method forpreventing privacy information of a user from being acquired frominformation which is delivered from a tag device, in which privileged IDinformation sid_(h) is stored in a confidential value memory of each tagdevice h (hε{1, . . . , m}, where m represents a total number of tagdevices), the privileged ID information sid_(h) including a firstencrypted text according to a common key encryption technique whichcorresponds to each tag ID information id_(h) and key ID informationkid_(j) of a common key k_(j) used in the encryption (jε{1, . . . , n},where n represents a total number of tag devices), and each key IDinformation kid_(j) are stored and each common key k_(j) in a key memoryof an updater which is provided externally of each tag device h in amanner relating to each other; comprising the steps of the tag device hreading out the privileged ID information sid_(h) stored in theconfidential value memory thereof in a first read/write section; anddelivering the privileged ID information sid_(h) to an updater from afirst output section; the updater accepts an input of the privileged IDinformation sid_(h) at a first input section; extracting the common keyk_(j) corresponding to the key ID information kid_(j) included in theprivileged ID information sid_(h) from the key memory by a secondread/write section; decrypting the first encrypted text using the commonkey k_(j) extracted by the second read/write section to extract tag IDinformation id_(h) by an ID extractor; generating a second encryptedtext, the association of which with the first encrypted text isdifficult to follow, using the tag ID information id_(h) extracted bythe ID extractor and the common key k_(j) which is used in theextraction in an encryptor; and delivering new privileged ID informationsid_(h)′ including the second encrypted text and the key ID informationkid_(j) of the common key k_(j) to the tag device h from a second outputsection; the tag device h further accepting an input of the newprivileged ID information sid_(h)′ at a second input section; the firstread/write section of the tag device storing the new privileged IDinformation sid_(h)′ in the confidential value memory.
 45. A tag privacyprotection method for preventing privacy information of a user frombeing acquired from information which is delivered from a tag device, inwhich privileged ID information sid_(h) is stored in a confidentialvalue memory of each tag device h (hε{1, . . . , m}, where m representsa total number of tag devices), the privileged ID information sid_(h)including a first encrypted text according to a pubic key encryptiontechnique which corresponds to each tag ID information id_(h) and key IDinformation kid_(j) for a key pair (sk_(j), pk_(j)) (where sk_(j)represents a secret key and pk_(j) represents a public key, jε{1, . . ., n}, where n represents a total number of tag devices), and each key IDinformation kid_(j) and each key pair (sk_(j), pk_(j)) in a key memoryof an updater which is provided externally of each tag device h in amanner relating to each other; comprising the steps of the tag device hreading out the privileged ID information sid_(h) stored in theconfidential value memory in a first read/write section; and deliveringthe privileged ID information sid_(h) to an updater from a first outputsection; the updater accepting an input of the privileged ID informationsid_(h) at a first input section; extracting the key pair (sk_(j),pk_(j)) which corresponds to the key ID information kid_(j) which isincluded in the privileged ID information sid_(h) accepted as the inputto the first input section by a second read/write section; decryptingthe first encrypted text using the secret key sk_(j) extracted by thesecond read/write section to extract the tag ID information id_(h) by anID extractor; generating a second encrypted text, the association ofwhich with the first encrypted text is difficult to follow, using thetag ID information id_(h) extracted by the ID extractor and the publicpk_(j) which is extracted by the second read/write section by anencryptor; and delivering new privileged ID information sid_(h)′including the second encrypted text and the key ID information kid_(j)of the key pair (sk_(j), pk_(j)) to the tag device h from a secondoutput section; the tag device h further accepting an input of the newprivileged ID information sid_(h)′ at a second input section; theread/write section storing the new privileged ID information sid_(h)′ inthe confidential value memory.
 46. A tag privacy protection method forpreventing privacy information of a user from being acquired frominformation which is delivered from a tag device, in which privileged IDinformation sid_(h) is stored in a confidential value memory of each tagdevice h (hε{1, . . . , m}, where m represents a total number of tagdevices), the privileged ID information sid_(h) including a firstencrypted text according to re-encryptable public key encryptiontechnique which corresponds to each tag ID information id_(h) and key IDinformation kid_(j) of the public key pk_(j) (jε{1, . . . , n}, where nrepresents a total number of keys), each key ID information kid_(j) andeach public key pk_(j) are stored in a key memory of an updater which isprovided externally of each tag device h in a manner relating to eachother; comprising the steps of the tag device h reads out the privilegedID information sid_(h) stored in the confidential value memory in afirst read/write section; and delivers the privileged ID informationsid_(h) to an updater from a first output section; the updatercomprising accepting an input of the privileged ID information sid_(h)at a first input section; extracting the public key pk_(j) whichcorresponds to the key ID information kid_(j) included in the privilegedID information sid_(h) which is accepted as the input to the first inputsection from the key memory by a second read/write section;re-encrypting the first encrypted text in the privileged ID informationsid_(h) using the public key pk_(j) extracted by the second read/writesection to generate a second encrypted text, the association of whichwith the first encrypted text is difficult to follow, by an encryptor;and for delivering new privileged ID information sid_(h)′ including thesecond encrypted text and the key ID information kid_(j) of the publickey pk_(j) to the tag device h from a second output section; the tagdevice h further accept an input of the new privileged ID informationsid_(h)′ at a second input section; the read/write section storing thenew privileged ID information sid_(h)′ in the confidential value memory.47. A tag privacy protection method for preventing privacy informationof a user from being acquired from information which is delivered from atag device, in which privileged ID information sid_(h) which hasprivileged each tag ID information id_(h) is stored in a confidentialvalue memory of each tag device h (hε{1, . . . , m}, where m representsa total number of tag devices); comprising the steps of the tag device hreading out the privileged ID information sid_(h) stored in theconfidential value memory by a first read/write section; and deliveringthe privileged ID information sid_(h) to a first updater which isprovided externally of the tag device h from a first output section; thefirst updater accepting an input of the privileged ID informationsid_(h) at a first input section; determining tag ID information id_(h)from the privileged ID information sid_(h) by an ID extractor; anddelivering the tag ID information id_(h) to a second updater which isprovided externally of the tag device h from a second output section;the second updater accepting an input of the tag ID information id_(h)at a third input section; generating new privileged ID informationsid_(h)′ which has privileged the tag ID information id_(h) by anencryptor; and delivering the new privileged ID information sid_(h)′ tothe tag device h from a third output section; the tag device h furtheraccepting an input of the new privileged ID information sid_(h)′ at asecond input section; the read/write section storing the new privilegedID information sid_(h)′ in the confidential value memory.
 48. An updaterfor updating privileged ID information in a tag device, the updaterbeing provided externally of the tag device and comprising a privilegedID memory for storing each tag ID information id_(h) and privileged IDinformation sid_(h) which is a random value r_(h) which corresponds tothe tag ID information id_(h) in a manner relating to each other; afirst input section which accepts an input of the privileged IDinformation sid_(h) which is delivered from the tag device; a randomvalue generator for generating a new random value r_(h)′; a secondread/write section connected to the privileged ID memory for selectingtag ID information id_(h) which corresponds to the privileged IDinformation sid_(h) which is accepted by the first input section as theinput from the privileged ID memory and for relating this with the newrandom value r_(h)′ as new privileged ID information sid_(h)′ to bestored in the privileged ID memory; and a second output section fordelivering the new privileged ID information sid_(h)′ to the tag deviceh.
 49. An updater for updating privileged ID information in a tagdevice, the updater being provided externally of the tag device andcomprising a key memory for storing each key ID information kid_(j)(jε{1, . . . , n}, where n represents a total number of keys) and eachcommon key k_(j) of a common key encryption technique in a mannerrelating to each other; a first input section for accepting an input ofprivileged ID information sid_(h) which includes a first encrypted textaccording to the common key encryption technique which corresponds tothe tag ID information id_(h) and key ID information kid_(j) of thecommon key k_(j) which is used in the encryption; a second read/writesection connected to the key memory for extracting the common key k_(j)which corresponds to the key ID information kid_(j) which is included inthe privileged ID information sid_(h) from the key memory; an IDextractor for decrypting the first encrypted text using the common keyk_(j) which is extracted by the second read/write section to extract tagID information id_(h); an encryptor for generating a second encryptedtext, the association of which with first encrypted text is difficult tofollow, using the tag ID information id_(h) extracted by the IDextractor and the common key k_(j) which is used in the extraction; anda second output section for delivering new privileged ID informationsid_(h)′ which includes the second encrypted text and the key IDinformation kid_(j) for the common key k_(j) to the tag device h.
 50. Anupdater for updating privileged ID information in a tag device, theupdater being provided externally of the tag device and comprising a keymemory for storing each key ID information kid_(j) (jε{1, . . . , n},where n represents a total number of keys) and each key pair (sk_(j),pk_(j)) (sk_(j) represents a secret key and pk_(j) a public key) in amanner relating to each other; a first input section for accepting aninput of privileged ID information sid_(h) which includes a firstencrypted text according to a public key encryption technique whichcorresponds to tag ID information id_(h) and key ID information kid_(j)for the public key pk_(j) which is used in the encryption; a secondread/write section connected to the key memory for extracting the keypair (sk_(j), pk_(j)) which corresponds to the key ID informationkid_(j) which is included in the privileged ID information sid_(h)accepted by the first input section as the input from the key memory; anID extractor for decrypting the first encrypted text using the secretkey sk_(j) extracted by the second read/write section to extract tag IDinformation id_(h); an encryptor for generating a second encrypted text,the association of which with the first encrypted text is difficult tofollow, using the tag ID information id_(h) extracted by the IDextractor and the public key pk_(j) extracted by the second read/writesection; and a second output section for delivering new privileged IDinformation sid_(h)′ which includes the second encrypted text and thekey ID information kid_(j) for the key pair (sk_(j), pk_(j)) to the tagdevice h.
 51. An updater for updating privileged ID information in a tagdevice, the updater being provided externally of the tag device andcomprising a key memory for storing each key ID information kid_(j)(jε{1, . . . , n}, where n represents a total number of keys) and eachpublic key pk_(j) in a manner relating to each other; a first inputsection for accepting an input of privileged ID information sid_(h)which includes a first encrypted text according to re-encryptable publickey encryption technique which corresponds to tag ID information id_(h)and key ID information kid_(j) for the public key pk_(j); a secondread/write section connected to the key memory for extracting the publickey pk_(j) which corresponds to the key ID information kid_(j) which isincluded in the privileged ID information sid_(h) which is accepted bythe first input section as the input from the key memory; an encryptorfor re-encrypting the first encrypted text which is included in theprivileged ID information sid_(h) using the public key pk_(j) extractedby second read/write section to generate a second encrypted text, theassociation of which with the first encrypted text is difficult tofollow; and a second output section for delivering new privileged IDinformation sid_(h)′ which includes the second encrypted text and thekey ID information kid_(j) for the public key pk_(j) to the tag deviceh.
 52. An updater according to one of claims 49 to 51 in which the keyID information kid_(j) is information which is shared by a pluralityunrelated tag devices.
 53. An update solicitor for soliciting an updaterto update privileged ID information in a tag device, the updatesolicitor being provided externally of the tag device and comprising aprivileged ID input section to which a plurality of kinds of privilegedID's, which are re-encryptable encrypted texts corresponding to anidentical tag ID information id_(h), are input; a privileged ID memoryfor storing a plurality of kinds of privileged ID's which are inputthereto; a privileged ID extractor connected to the privileged ID memoryfor extracting one of privileged ID's from the privileged ID memory at agiven opportunity; and a privileged ID output section for delivering theextracted privileged ID to the tag device.
 54. A tag device for use inan automatic tag identification system comprising a privileged ID inputsection to which a plurality of kinds of privileged ID's, which arere-encryptable encrypted texts corresponding to an identical tag IDinformation id_(h), are input; a privileged ID memory for storing theplurality of kinds of privileged ID's which are input thereto; aprivileged ID extractor connected to the privileged ID memory forextracting one of the privileged ID's from the privileged ID memory at agiven opportunity; and a privileged ID output section for delivering theextracted privileged ID.
 55. A tag privacy protection method forpreventing privacy information of a user from being acquired frominformation which is delivered from a tag device, in which a key ID anda key are stored in a key memory in a manner relating to each other, thetag device comprises a privileged ID memory including a read-only regionin which a key ID is stored and a rewritable region in which a firstprivileged ID is stored; comprising the steps of the tag deviceextracting the key ID and the first privileged ID from the privileged IDmemory by a read/write section; and delivering the extracted key ID andfirst privileged ID to an updater from a first output section; theupdater accepting the key ID and the first privileged ID as inputs at afirst input section; extracting a key which corresponds to the key IDwhich is input to the first input section from the key memory by a firstkey extractor; generating a second privileged ID, the association ofwhich with the first privileged ID is difficult to follow, using the keyextracted by the first key extractor and the first privileged ID whichis input to the first input section in a privileged ID updating section;and delivering the second privileged ID from a second output section;the tag device further accepting an input of the second privileged ID ata second input section; the read/write section storing the secondprivileged ID in the rewritable region of the privileged ID memory. 56.A tag privacy protection method according to claim 55, furthercomprising the steps of the updater additionally including averification information generator which generates a verificationinformation for the second privileged ID; the second output section ofthe updater delivering the second privileged ID and the verificationinformation; the second input section of the tag device accepting thesecond privileged ID and the verification information as inputs; theread/write section of the tag device storing the second privileged IDand the verification information in the rewritable region the ofprivileged ID memory.
 57. A tag privacy protection method according toclaim 55, further comprising the steps of the read/write section of thetag device extracting the key ID from the read-only region of theprivileged ID memory and extracting a third privileged ID from therewritable region, the first output section of the tag device deliveringthe extracted key ID and the third privileged ID to a decryptor; thedecryptor accepting the key ID and the first privileged ID as inputs ata third input section; extracting a key which corresponds to the key IDwhich is accepted by the third input section as an input from the keymemory by a second key extractor; calculating an ID using the privilegedID which is input to the third input section and the key extracted bythe second key extractor in an ID calculator; and verifying thestructure of the calculated ID by an ID structure verifier.
 58. A tagdevice for use in an automatic tag identification system comprising aprivileged ID memory including a read-only region in which a key ID isstored and a rewritable region in which a first privileged ID is stored;a read/write section for extracting the key ID and the first privilegedID from the privileged ID memory; a first output section for deliveringthe key ID and the first privileged ID which are extracted; and a secondinput section for accepting an input of a second privileged ID, theassociation of which with the first privileged ID is difficult tofollow; the read/write section storing the second privileged ID which isinput in the rewritable region of the privileged ID memory.
 59. A tagdevice according to claim 58 in which the second input sectionadditionally accepts an input of verification information for the secondprivileged ID and the read/write section additionally stores theverification information which is input in the rewritable region of theprivileged ID memory.
 60. A tag device according to claim 58 in whichthe privileged ID represent information which is part of informationconstituting an ID and which is inherent to each tag device, which isprivileged alone.
 61. A tag device according to claim 58 in which anidentical key ID is allocated to unrelated tag devices.
 62. A tagprogram for enabling a computer to function as a tag device according toone of claims 17, 54 and
 58. 63. A tag program for enabling a computerto function as a backend apparatus according to claim
 18. 64. Anupdating program for enabling a computer to function as an updateraccording to one of claims 48 to
 51. 65. An update soliciting programfor enabling a computer to function as an update solicitor according toclaim
 53. 66. A computer readable record medium storing a tag programwhich enables a computer to function as a tag device according to one ofclaims 17, 54 and
 58. 67. A computer readable record medium storing atag program which enables a computer to function as a backend apparatusaccording to claim
 18. 68. A computer readable record medium storing anupdate program which enables a computer to function as an updateraccording to one of claims 48 to
 51. 69. A computer readable recordmedium storing an update soliciting program which enables a computer tofunction as an update solicitor according to claim 53.